I do not see an advantage over socat, which can listen on _TCP_-sockets (among 20 other „socket“ inputs) and forward them into unix-sockets. Please tell me? :-/
As others have mentioned, socat acts more like a router between different socket types/protocols but it doesn't change the behaviour of the program in question.
So for example if you have a service listening to TCP port 1234, you could do something like this:
socat UNIX-LISTEN:foo.sock TCP:localhost:1234
Now the service will still listen to port 1234 and you now have another socket that redirects to the other. This not only comes with a bit of overhead, but port 1234 is still reachable.
While using packet filtering on that port might lower the attack surface a bit, this won't prevent other (possibly compromised) services/users on the system to access port 1234.
Sure you could also filter based on uid, but IMHO it's better if that port isn't accessible in the first place.
From the documentation, it seems this utility uses LD_PRELOAD to change IP socket calls into Unix socket calls; which seems useful if you want to do namespaced and access controlled process to process communication with programs that don't already know how to use unix sockets.
socat as a TCP to unix socket proxy is doing a different job.
aszlig|5 years ago
So for example if you have a service listening to TCP port 1234, you could do something like this:
socat UNIX-LISTEN:foo.sock TCP:localhost:1234
Now the service will still listen to port 1234 and you now have another socket that redirects to the other. This not only comes with a bit of overhead, but port 1234 is still reachable.
While using packet filtering on that port might lower the attack surface a bit, this won't prevent other (possibly compromised) services/users on the system to access port 1234.
Sure you could also filter based on uid, but IMHO it's better if that port isn't accessible in the first place.
toast0|5 years ago
socat as a TCP to unix socket proxy is doing a different job.
rhn_mk1|5 years ago