nexmon – Blame information for rev 1
?pathlinks?
| Rev | Author | Line No. | Line |
|---|---|---|---|
| 1 | office | 1 | |
| 2 | Tips for using socat in secured environments: |
||
| 3 | |||
| 4 | * Configure socat to only enable the required features, e.g. to protect your |
||
| 5 | filesystem from any accesses through socat: |
||
| 6 | make distclean |
||
| 7 | ./configure --disable-file --disable-creat --disable-gopen \ |
||
| 8 | --disable-pipe --disable-unix --disable-exec --disable-system |
||
| 9 | use "socat -V" to see what features are still enabled; see |
||
| 10 | ./configure --help for more options to disable |
||
| 11 | |||
| 12 | * Do NOT install socat SUID root or so when you have untrusted users or |
||
| 13 | unprivileged daemons on your machine, because the full install of socat can |
||
| 14 | override arbitrary files and execute arbitrary programs! |
||
| 15 | |||
| 16 | * Set logging to "-d -d" (in special cases even higher) |
||
| 17 | |||
| 18 | * With files, protect against symlink attacks with nofollow (Linux), and |
||
| 19 | avoid accessing files in world-writable directories like /tmp |
||
| 20 | |||
| 21 | * When listening, use bind option (except UNIX domain sockets) |
||
| 22 | |||
| 23 | * When listening, use range option (currently only for IP4 sockets) |
||
| 24 | |||
| 25 | * When using socat with system, exec, or in a shell script, know what you do |
||
| 26 | |||
| 27 | * With system and exec, use absolute pathes or set the path option |
||
| 28 | |||
| 29 | * When starting programs with socat, consider using the chroot option (this |
||
| 30 | requires root, so use the substuser option too). |
||
| 31 | |||
| 32 | * Start socat as root only if required; if so, use substuser option |
||
| 33 | Note: starting a SUID program after applying substuser or setuid gives the |
||
| 34 | process the SUID owner, which might give root privileges again. |
||
| 35 | |||
| 36 | * Socat, like netcat, is what intruders like to have on their victims machine: |
||
| 37 | once they have gained a toehold they try to establish a versatile connection |
||
| 38 | back to their attack base, and they want to attack other systems. For both |
||
| 39 | purposes, socat could be helpful. Therefore, it might be useful to install |
||
| 40 | socat with owner/permissions root:socatgrp/750, and to make all trusted users |
||
| 41 | members of group socatgrp. |