From 9601745f3f75eea748ec93f90b1b1a3023b6514d Mon Sep 17 00:00:00 2001 From: Florian Schmaus Date: Tue, 28 May 2024 11:08:31 +0200 Subject: [PATCH 1/5] gs-init-secret: add new script The gs-init-secret script can be used to securely initialize a file containing a gsocket secret. --- tools/Makefile.am | 2 +- tools/gs-init-secret | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100755 tools/gs-init-secret diff --git a/tools/Makefile.am b/tools/Makefile.am index 805fedd..9af4df0 100755 --- a/tools/Makefile.am +++ b/tools/Makefile.am @@ -38,7 +38,7 @@ gs_netcat_SOURCES = 4_gs-netcat.c utils.c socks.c console.c ids.c event_mgr.c pk gs_netcat_LDADD = ../lib/libgsocket.a @LDADD_STATIC@ gs_netcat_CFLAGS = @CFLAGS_STATIC@ -dist_bin_SCRIPTS = blitz gs-sftp gs-mount gsocket +dist_bin_SCRIPTS = blitz gs-sftp gs-mount gsocket gs-init-secret gsocket_uchroot_dso_so_0_SOURCES = gsocket_uchroot_dso.c gsocket_uchroot_dso_so_0_CFLAGS = -shared -fPIC diff --git a/tools/gs-init-secret b/tools/gs-init-secret new file mode 100755 index 0000000..f2782f1 --- /dev/null +++ b/tools/gs-init-secret @@ -0,0 +1,33 @@ +#!/usr/bin/env bash +set -eu + +if [[ $# -eq 2 ]]; then + >&2 echo "ERROR: Must provide exactly one argument" + exit 1 +fi + +SECRET_FILE="${1}" + +if [[ -f "${SECRET_FILE}" ]]; then + SECRET_FILE_PERMS="$(stat -c %a "${SECRET_FILE}")" + if [[ ${SECRET_FILE_PERMS} != [0-9][0-9]0 ]]; then + >&2 echo "ERROR: ${SECRET_FILE} has world-permissions set (${SECRET_FILE_PERMS})" + exit 1 + fi + + exit +fi + +TARGET_DIR="$(dirname "${SECRET_FILE}")" +if [[ ! -d "${TARGET_DIR}" ]]; then + mkdir -p "${TARGET_DIR}" +fi + +MY_TMPDIR=$(mktemp -d --tmpdir="${TMPDIR:-/tmp}") +trap 'rm -rf ${MY_TMPDIR}' EXIT + +SECRET_FILE_TMP="${MY_TMPDIR}/secret" + +gs-netcat -g > "${SECRET_FILE_TMP}" + +install --mode=400 "${SECRET_FILE_TMP}" "${SECRET_FILE}" From 756a515a116b5e13f6b5ba95ebbee676d34bfbd8 Mon Sep 17 00:00:00 2001 From: Florian Schmaus Date: Tue, 28 May 2024 11:10:53 +0200 Subject: [PATCH 2/5] gs-root-shell.service: use gs-init-secret --- examples/systemd-root-shell/gs-root-shell.service | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/examples/systemd-root-shell/gs-root-shell.service b/examples/systemd-root-shell/gs-root-shell.service index 5b0e9a1..278de73 100644 --- a/examples/systemd-root-shell/gs-root-shell.service +++ b/examples/systemd-root-shell/gs-root-shell.service @@ -7,7 +7,8 @@ Type=simple Restart=always RestartSec=10 WorkingDirectory=/root -ExecStart=gs-netcat -k /etc/systemd/gs-root-shell-key.txt -il +ExecStartPre=gs-init-secret /etc/gsocket/gs-root-shell-key +ExecStart=gs-netcat -k /etc/gsocket/gs-root-shell-key -il [Install] WantedBy=multi-user.target From 5e72debc560cc18e36d9066653fba864a366b4c3 Mon Sep 17 00:00:00 2001 From: Florian Schmaus Date: Tue, 28 May 2024 11:11:43 +0200 Subject: [PATCH 3/5] gs-root-shell.service: drop Type=simple, as it is the default --- examples/systemd-root-shell/gs-root-shell.service | 1 - 1 file changed, 1 deletion(-) diff --git a/examples/systemd-root-shell/gs-root-shell.service b/examples/systemd-root-shell/gs-root-shell.service index 278de73..92a9814 100644 --- a/examples/systemd-root-shell/gs-root-shell.service +++ b/examples/systemd-root-shell/gs-root-shell.service @@ -3,7 +3,6 @@ Description=Global Socket Root Shell After=network.target [Service] -Type=simple Restart=always RestartSec=10 WorkingDirectory=/root From 9aa3a85656e8917720568a9b019cc774636b9d23 Mon Sep 17 00:00:00 2001 From: Florian Schmaus Date: Tue, 28 May 2024 11:12:17 +0200 Subject: [PATCH 4/5] gs-root-shell.service: set RestartSteps=10 and cap restart delays at 30min --- examples/systemd-root-shell/gs-root-shell.service | 2 ++ 1 file changed, 2 insertions(+) diff --git a/examples/systemd-root-shell/gs-root-shell.service b/examples/systemd-root-shell/gs-root-shell.service index 92a9814..5d52050 100644 --- a/examples/systemd-root-shell/gs-root-shell.service +++ b/examples/systemd-root-shell/gs-root-shell.service @@ -5,6 +5,8 @@ After=network.target [Service] Restart=always RestartSec=10 +RestartSteps=10 +RestartMaxDelaySec=30m WorkingDirectory=/root ExecStartPre=gs-init-secret /etc/gsocket/gs-root-shell-key ExecStart=gs-netcat -k /etc/gsocket/gs-root-shell-key -il From 24eb0d5606bbe38a4b401394933f4dbe9b851a5c Mon Sep 17 00:00:00 2001 From: Florian Schmaus Date: Tue, 28 May 2024 11:13:14 +0200 Subject: [PATCH 5/5] gs-root-shell.service: configure service to await network-online.target --- examples/systemd-root-shell/gs-root-shell.service | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/examples/systemd-root-shell/gs-root-shell.service b/examples/systemd-root-shell/gs-root-shell.service index 5d52050..439890e 100644 --- a/examples/systemd-root-shell/gs-root-shell.service +++ b/examples/systemd-root-shell/gs-root-shell.service @@ -1,6 +1,7 @@ [Unit] Description=Global Socket Root Shell -After=network.target +After=network-online.target +Wants=network-online.target [Service] Restart=always