42 lines
1.8 KiB
Plaintext
42 lines
1.8 KiB
Plaintext
|
|
Tips for using socat in secured environments:
|
|
|
|
* Configure socat to only enable the required features, e.g. to protect your
|
|
filesystem from any accesses through socat:
|
|
make distclean
|
|
./configure --disable-file --disable-creat --disable-gopen \
|
|
--disable-pipe --disable-unix --disable-exec --disable-system
|
|
use "socat -V" to see what features are still enabled; see
|
|
./configure --help for more options to disable
|
|
|
|
* Do NOT install socat SUID root or so when you have untrusted users or
|
|
unprivileged daemons on your machine, because the full install of socat can
|
|
override arbitrary files and execute arbitrary programs!
|
|
|
|
* Set logging to "-d -d" (in special cases even higher)
|
|
|
|
* With files, protect against symlink attacks with nofollow (Linux), and
|
|
avoid accessing files in world-writable directories like /tmp
|
|
|
|
* When listening, use bind option (except UNIX domain sockets)
|
|
|
|
* When listening, use range option (currently only for IP4 sockets)
|
|
|
|
* When using socat with system, exec, or in a shell script, know what you do
|
|
|
|
* With system and exec, use absolute pathes or set the path option
|
|
|
|
* When starting programs with socat, consider using the chroot option (this
|
|
requires root, so use the substuser option too).
|
|
|
|
* Start socat as root only if required; if so, use substuser option
|
|
Note: starting a SUID program after applying substuser or setuid gives the
|
|
process the SUID owner, which might give root privileges again.
|
|
|
|
* Socat, like netcat, is what intruders like to have on their victims machine:
|
|
once they have gained a toehold they try to establish a versatile connection
|
|
back to their attack base, and they want to attack other systems. For both
|
|
purposes, socat could be helpful. Therefore, it might be useful to install
|
|
socat with owner/permissions root:socatgrp/750, and to make all trusted users
|
|
members of group socatgrp.
|