"Fossies" - the Fresh Open Source Software Archive

Member "socat-1.7.3.2/SECURITY" (21 Jul 2016, 1849 Bytes) of package /linux/privat/socat-1.7.3.2.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 
    2 Tips for using socat in secured environments:
    3 
    4 * Configure socat to only enable the required features, e.g. to protect your
    5 	filesystem from any accesses through socat: 
    6 	make distclean
    7 	./configure --disable-file --disable-creat --disable-gopen \
    8 		 --disable-pipe	--disable-unix --disable-exec --disable-system
    9 	use "socat -V" to see what features are still enabled; see 
   10 	./configure --help  for more options to disable
   11 
   12 * Do NOT install socat SUID root or so when you have untrusted users or
   13 unprivileged daemons on your machine, because the full install of socat can
   14 override arbitrary files and execute arbitrary programs!
   15 
   16 * Set logging to "-d -d" (in special cases even higher)
   17 
   18 * With files, protect against symlink attacks with nofollow (Linux), and
   19 avoid accessing files in world-writable directories like /tmp
   20 
   21 * When listening, use bind option (except UNIX domain sockets)
   22 
   23 * When listening, use range option (currently only for IP4 sockets)
   24 
   25 * When using socat with system, exec, or in a shell script, know what you do
   26 
   27 * With system and exec, use absolute pathes or set the path option
   28 
   29 * When starting programs with socat, consider using the chroot option (this
   30 requires root, so use the substuser option too).
   31 
   32 * Start socat as root only if required; if so, use substuser option
   33 Note: starting a SUID program after applying substuser or setuid gives the
   34 process the SUID owner, which might give root privileges again.
   35 
   36 * Socat, like netcat, is what intruders like to have on their victims machine:
   37 once they have gained a toehold they try to establish a versatile connection 
   38 back to their attack base, and they want to attack other systems. For both
   39 purposes, socat could be helpful. Therefore, it might be useful to install
   40 socat with owner/permissions root:socatgrp/750, and to make all trusted users
   41 members of group socatgrp.