diff options
| author | Stefan Kreutz <mail@skreutz.com> | 2022-04-28 10:23:56 +0200 |
|---|---|---|
| committer | Stefan Kreutz <mail@skreutz.com> | 2022-04-28 10:23:56 +0200 |
| commit | e699c3ec492b7c9128f4c89d71e6b9aec3c4fbda (patch) | |
| tree | 226b9615e273bed9ac85ae9dbd59bed382a31d2d /posts/unix-domain-socket-forwarding-with-openssh.md | |
| parent | bf1e137081e83cc1961f85c5040daf2eaa262d8b (diff) | |
| download | blog-e699c3ec492b7c9128f4c89d71e6b9aec3c4fbda.tar | |
Update external URLs
Diffstat (limited to 'posts/unix-domain-socket-forwarding-with-openssh.md')
| -rw-r--r-- | posts/unix-domain-socket-forwarding-with-openssh.md | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/posts/unix-domain-socket-forwarding-with-openssh.md b/posts/unix-domain-socket-forwarding-with-openssh.md index 295b0c2..f06846b 100644 --- a/posts/unix-domain-socket-forwarding-with-openssh.md +++ b/posts/unix-domain-socket-forwarding-with-openssh.md @@ -56,7 +56,7 @@ For example, the following command uses the infamous [netcat](https://nc110.sour As far as I know, you have two practical options to control access to forwardings: 1. Add user-specific rules to your firewall of choice, if supported. -For example, the [owner module](http://ipset.netfilter.org/iptables-extensions.man.html#lbBP) of [`iptables(8)`](http://ipset.netfilter.org/iptables.man.html) enables you to match the user ID and the group ID of a local packet creator. +For example, the [owner module](https://ipset.netfilter.org/iptables-extensions.man.html#lbBP) of [`iptables(8)`](https://ipset.netfilter.org/iptables.man.html) enables you to match the user ID and the group ID of a local packet creator. 1. Use [Unix domain sockets](https://en.wikipedia.org/w/index.php?title=Unix_domain_socket&oldid=949050080) instead of TCP ports, and protect the special socket files just like regular files --- i.e., set the file owner, group, and mode using [`chown(8)`](https://man.openbsd.org/OpenBSD-6.6/chown) and [`chmod(1)`](https://man.openbsd.org/OpenBSD-6.6/chmod). @@ -130,7 +130,7 @@ Finally, a client may connect to this socket as follows --- regardless of how we $ curl http://localhost:3000/ Unfortunately, [`ssh(1)`](https://man.openbsd.org/OpenBSD-6.6/ssh)'s `ExitOnForwardFailure` option does not catch missing permissions to access the socket file. -Thus, if the final [`curl(1)`](https://curl.haxx.se/docs/manpage.html) command fails and you cannot actually use the forwarding, please check the group and the mode of the socket file created by [`socat(1)`](http://www.dest-unreach.org/socat/doc/socat.html) on the remote host. +Thus, if the final [`curl(1)`](https://curl.se/docs/manpage.html) command fails and you cannot actually use the forwarding, please check the group and the mode of the socket file created by [`socat(1)`](http://www.dest-unreach.org/socat/doc/socat.html) on the remote host. You can set the group and mode using the corresponding `UNIX-LISTEN` options. ## Conclusion @@ -168,6 +168,6 @@ You can restrict the socket's file name by forcing a special command instead of $ nc -lkU foo.sock 0<backpipe \ | nc 127.0.0.1 8080 1>backpipe - However, in practice, the second command did not work reliably on [OpenBSD 6.6](https://www.openbsd.org/66.html) and [Arch Linux](https://www.archlinux.org/) in June 2020. + However, in practice, the second command did not work reliably on [OpenBSD 6.6](https://www.openbsd.org/66.html) and [Arch Linux](https://archlinux.org/) in June 2020. I suspect, it's got something to do with an early EOF or standard output buffering. Please drop me a mail if you can help me out. |