]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
projects / thirdparty / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 48930a5)
units: enable MaxConnectionsPerSocket= for all our Accept=yes units
authorLennart Poettering <lennart@poettering.net>
Wed, 7 Feb 2024 12:19:54 +0000 (13:19 +0100)
committerLennart Poettering <lennart@poettering.net>
Mon, 12 Feb 2024 10:57:24 +0000 (11:57 +0100)
Let's make sure that user's cannot DoS services for other users so
easily, and enable MaxConnectionsPerSocket= by default for all of them.

Note that this is mostly paranoia for systemd-pcrextend.socket and
systemd-sysext.socket: the socket is only accessible to root anyway,
hence the accounting shouldn#t change anything. But this is just a
safety net, in preparation that we open up some functionality of these
services sooner or later.

units/systemd-coredump.socket patch | blob | blame | history
units/systemd-creds.socket patch | blob | blame | history
units/systemd-pcrextend.socket patch | blob | blame | history
units/systemd-sysext.socket patch | blob | blame | history

diff --git a/units/systemd-coredump.socket b/units/systemd-coredump.socket
index a2d457fc027eaf236322e3aad7dbc679131b8274..c78eacd823d769c8567a8344a66f2c3024b2b802 100644 (file)
--- a/units/systemd-coredump.socket
+++ b/units/systemd-coredump.socket
@@ -19,3 +19,4 @@ ListenSequentialPacket=/run/systemd/coredump
 SocketMode=0600
 Accept=yes
 MaxConnections=16
+MaxConnectionsPerSource=8
diff --git a/units/systemd-creds.socket b/units/systemd-creds.socket
index 65b76bd027b698465e96639749399a67267db5e8..0f89b39c3e402d1eab335287b5367b198cb7650e 100644 (file)
--- a/units/systemd-creds.socket
+++ b/units/systemd-creds.socket
@@ -18,3 +18,4 @@ ListenStream=/run/systemd/io.systemd.Credentials
 FileDescriptorName=varlink
 SocketMode=0666
 Accept=yes
+MaxConnectionsPerSource=16
diff --git a/units/systemd-pcrextend.socket b/units/systemd-pcrextend.socket
index 7d156c14483923331b070db98418a21df92da910..41db50acd881bf3fe5f502a0efea2705cb971752 100644 (file)
--- a/units/systemd-pcrextend.socket
+++ b/units/systemd-pcrextend.socket
@@ -20,6 +20,7 @@ ListenStream=/run/systemd/io.systemd.PCRExtend
 FileDescriptorName=varlink
 SocketMode=0600
 Accept=yes
+MaxConnectionsPerSource=16
 
 [Install]
 WantedBy=sockets.target
diff --git a/units/systemd-sysext.socket b/units/systemd-sysext.socket
index ad870c5bfbb577590214380c3bf198703cdec9a1..1a616ca69ca4293d99d3da1d894008d2d8f7f553 100644 (file)
--- a/units/systemd-sysext.socket
+++ b/units/systemd-sysext.socket
@@ -20,6 +20,7 @@ ListenStream=/run/systemd/io.systemd.sysext
 FileDescriptorName=varlink
 SocketMode=0600
 Accept=yes
+MaxConnectionsPerSource=16
 
 [Install]
 WantedBy=sockets.target
Unnamed repository; edit this file 'description' to name the repository.