This is very clever.
Last time i ran benchmarks (several years ago), UNIX domain sockets were twice as fast as IP sockets so that's another reason to use them.
I do not see an advantage over socat, which can listen on _TCP_-sockets (among 20 other „socket“ inputs) and forward them into unix-sockets. Please tell me? :-/
As others have mentioned, socat acts more like a router between different socket types/protocols but it doesn't change the behaviour of the program in question.
So for example if you have a service listening to TCP port 1234, you could do something like this:
socat UNIX-LISTEN:foo.sock TCP:localhost:1234
Now the service will still listen to port 1234 and you now have another socket that redirects to the other. This not only comes with a bit of overhead, but port 1234 is still reachable.
While using packet filtering on that port might lower the attack surface a bit, this won't prevent other (possibly compromised) services/users on the system to access port 1234.
Sure you could also filter based on uid, but IMHO it's better if that port isn't accessible in the first place.
From the documentation, it seems this utility uses LD_PRELOAD to change IP socket calls into Unix socket calls; which seems useful if you want to do namespaced and access controlled process to process communication with programs that don't already know how to use unix sockets.
socat as a TCP to unix socket proxy is doing a different job.
Thanks a lot for the suggestion. While I can't change the title here on HN, the README now mentions LD_PRELOAD in the first paragraph and I also added a small FAQ[1] section about socat.
This is really cool. I run a lot of different services on my home server and don't trust them to the internet. Everything is accessed via a reverse proxy with authentication that I trust.
While listening on localhost is some level of security it still means that lateral movement is possible if one of the services is compromised. It also means that if I give give someone else a user account or similarly run any less trusted code then they can access all of the services without authentication.
I'm going to look into this an apply this so that these services aren't accessible by other users.
If programs call getsockname() the result is not a sockaddr_un, but instead sockaddr_in(6) is used from the original call to bind(). If the socket was implicitly bound, a random[1] address is generated.
Things are a bit trickier if it gets to getpeername(), since we want to have somewhat stable addresses. This is done by querying SO_PEERCRED and encoding[2] the pid for IPv4 or pid, uid and gid for IPv6 into the address.
In summary: Programs shouldn't get confused, but if they do, it's certainly a bug in ip2unix. Feel free to open an issue :-)
It is faster because socat creates additional copies/context switches when forwarding data. This tool changes the bind syscall so it becomes a unix socket in the first place.
Tepix|5 years ago
easytiger|5 years ago
steigr|5 years ago
aszlig|5 years ago
So for example if you have a service listening to TCP port 1234, you could do something like this:
socat UNIX-LISTEN:foo.sock TCP:localhost:1234
Now the service will still listen to port 1234 and you now have another socket that redirects to the other. This not only comes with a bit of overhead, but port 1234 is still reachable.
While using packet filtering on that port might lower the attack surface a bit, this won't prevent other (possibly compromised) services/users on the system to access port 1234.
Sure you could also filter based on uid, but IMHO it's better if that port isn't accessible in the first place.
toast0|5 years ago
socat as a TCP to unix socket proxy is doing a different job.
rhn_mk1|5 years ago
floatboth|5 years ago
// "LD_PRELOAD" should've been in the submission title to avoid the "socat" questions
aszlig|5 years ago
[1]: https://github.com/nixcloud/ip2unix/tree/d7d297ed68cdadc65dc...
kevincox|5 years ago
While listening on localhost is some level of security it still means that lateral movement is possible if one of the services is compromised. It also means that if I give give someone else a user account or similarly run any less trusted code then they can access all of the services without authentication.
I'm going to look into this an apply this so that these services aren't accessible by other users.
forty|5 years ago
aszlig|5 years ago
tenebrisalietum|5 years ago
aszlig|5 years ago
ip2unix -r out,addr=127.1.1.1,path=foo-%p.sock firefox --new-instance
Whenever you then head over to something like http://127.1.1.1:9000/, the browser will try to connect to foo-9000.sock.
caf|5 years ago
aszlig|5 years ago
Things are a bit trickier if it gets to getpeername(), since we want to have somewhat stable addresses. This is done by querying SO_PEERCRED and encoding[2] the pid for IPv4 or pid, uid and gid for IPv6 into the address.
In summary: Programs shouldn't get confused, but if they do, it's certainly a bug in ip2unix. Feel free to open an issue :-)
[1]: https://github.com/nixcloud/ip2unix/blob/d7d297ed68cdadc65dc...
[2]: https://github.com/nixcloud/ip2unix/blob/d7d297ed68cdadc65dc...
noobquestion81|5 years ago
aszlig|5 years ago
That's what I had in mind someday™. Unfortunately, this has to wait for version 4.x maybe :-/
lykr0n|5 years ago
eiro|5 years ago
Mic92|5 years ago