mirror of
https://github.com/moparisthebest/socat
synced 2024-12-22 06:58:47 -05:00
42 lines
1.8 KiB
Plaintext
42 lines
1.8 KiB
Plaintext
|
|
||
|
Tips for using socat in secured environments:
|
||
|
|
||
|
* Configure socat to only enable the required features, e.g. to protect your
|
||
|
filesystem from any accesses through socat:
|
||
|
make distclean
|
||
|
./configure --disable-file --disable-creat --disable-gopen \
|
||
|
--disable-pipe --disable-unix --disable-exec --disable-system
|
||
|
use "socat -V" to see what features are still enabled; see
|
||
|
./configure --help for more options to disable
|
||
|
|
||
|
* Do NOT install socat SUID root or so when you have untrusted users or
|
||
|
unprivileged daemons on your machine, because the full install of socat can
|
||
|
override arbitrary files and execute arbitrary programs!
|
||
|
|
||
|
* Set logging to "-d -d" (in special cases even higher)
|
||
|
|
||
|
* With files, protect against symlink attacks with nofollow (Linux), and
|
||
|
avoid accessing files in world-writable directories like /tmp
|
||
|
|
||
|
* When listening, use bind option (except UNIX domain sockets)
|
||
|
|
||
|
* When listening, use range option (currently only for IP4 sockets)
|
||
|
|
||
|
* When using socat with system, exec, or in a shell script, know what you do
|
||
|
|
||
|
* With system and exec, use absolute pathes or set the path option
|
||
|
|
||
|
* When starting programs with socat, consider using the chroot option (this
|
||
|
requires root, so use the substuser option too).
|
||
|
|
||
|
* Start socat as root only if required; if so, use substuser option
|
||
|
Note: starting a SUID program after applying substuser or setuid gives the
|
||
|
process the SUID owner, which might give root privileges again.
|
||
|
|
||
|
* Socat, like netcat, is what intruders like to have on their victims machine:
|
||
|
once they have gained a toehold they try to establish a versatile connection
|
||
|
back to their attack base, and they want to attack other systems. For both
|
||
|
purposes, socat could be helpful. Therefore, it might be useful to install
|
||
|
socat with owner/permissions root:socatgrp/750, and to make all trusted users
|
||
|
members of group socatgrp.
|