Is it possible / good practice to start a socket and the drop privileges

Question

Is it possible / good practice to start a socket and the drop privileges

jason69 opened this issue 5 years ago · comments

jason69 commented 5 years ago

Hi,

In a tls context, private keys generally belong to root.

I wonder if I can:

build my socket as root
start listening
drop privileges (posix_setuid() ?)
run the loop

This would also allow listening on privileged ports (80 or 443).

What do you think about this? Would it effectively work?

Or should I simply give access right to the private key to non-root users?

jason69 · Answer 1 · Thu Jan 24 2019 20:18:43 GMT+0800 (China Standard Time)

NB: I did some preliminary tests and it seems it doesn't work.
Dropping privileges after listen do work, but the server will fail during TLS handshake.
However I am allowed to listen on a privileged port and drop privileges after...

Samuel CHEMLA · Answer 2 · Fri Jan 25 2019 03:39:36 GMT+0800 (China Standard Time)

About listening to privileged port, #164 should provide a better solution

Niklas Keller · Answer 3 · Fri Jan 25 2019 04:58:29 GMT+0800 (China Standard Time)

It won't work, because certificates / keys are currently read from disk for every handshake.

Christian Lück · Answer 4 · Fri Jan 25 2019 19:18:37 GMT+0800 (China Standard Time)

@jason69 Very good question! I'll answer this in two parts:

I wonder if I can:

build my socket as root

start listening

drop privileges (posix_setuid() ?)

run the loop

This would also allow listening on privileged ports (80 or 443).

What do you think about this? Would it effectively work?

Absolutely! This is a very common approach when listening on privileged ports (a.k.a. "well known" ports in the range 1-1023).

Some other alternatives would be using a dedicated socket server like systemd, assigning the CAP_NET_BIND_SERVICE capability or using firewall rules to route your traffic to an unprivileged port. Likewise, if you're using HTTP, it's very common to simply run this in a reverse-proxy setup behind nginx/HAProxy etc. and then forward to your unprivileged port.

If your use case is HTTP, I would highly recommend running this behind a reverse proxy instead. This not only solves this problem, but also brings a host of additional features like request validation, logging, HTTP/2 support and much more.

In a tls context, private keys generally belong to root. […]

Or should I simply give access right to the private key to non-root users?

I would say this is a very reasonable approach. IMO private keys should be owned by specific system users and should only have read access for this specific user. This helps reducing possible attack surface and also helps ensuring a higher level of isolation between different processes.

I believe this has been answered, so I'm closing this for now. Please come back with more details if this problem persists and we can reopen this 👍