From a6c8c3ad8906958d1504aac3c2697dd8361a0f7e Mon Sep 17 00:00:00 2001 From: Gerhard Rieger Date: Thu, 16 May 2024 15:25:26 +0200 Subject: [PATCH] socat-mux.sh and socat-broker.sh use low ports when run as root --- CHANGES | 3 +++ socat-broker.sh | 18 ++++++++++++++++-- socat-mux.sh | 23 +++++++++++++++++++---- 3 files changed, 38 insertions(+), 6 deletions(-) diff --git a/CHANGES b/CHANGES index 88f5f1e..2f66737 100644 --- a/CHANGES +++ b/CHANGES @@ -26,6 +26,9 @@ Features: Changed socat-chain.sh, socat-mux.sh, and socat-broker.sh to work with older Socat versions. + socat-mux.sh and socat-broker.sh, when run as root, now internally use + low (512..1023) UDP ports to increase security. + Porting: Changes for building and testing on NetBSD diff --git a/socat-broker.sh b/socat-broker.sh index f8b5abb..f91b4ec 100755 --- a/socat-broker.sh +++ b/socat-broker.sh @@ -65,8 +65,18 @@ esac if [ -z "$SOCAT" ]; then SOCAT=socat; fi [ "$VERBOSE" ] && echo "# $0: Using executable $SOCAT" >&2 +# When run as root we try low ports +LOWPORT= +PATTERN=bound +if [ "$(id -u)" = 0 ]; then + LOWPORT="lowport" + PATTERN="successfully prepared local socket" +fi + # We need a free UDP port (on loopback) -PORT=$($SOCAT -d -d -T 0.000001 UDP4-RECV:0 /dev/null 2>&1 |grep bound |sed 's/.*:\([1-9][0-9]*\)$/\1/') +if [ -z "$LOWPORT" ]; then + PORT=$($SOCAT -d -d -T 0.000001 UDP4-RECV:0 /dev/null 2>&1 |grep bound |sed 's/.*:\([1-9][0-9]*\)$/\1/') +fi if [ -z "$PORT" ]; then # Probably old Socat version, use a different approach if type ss >/dev/null 2>&1; then @@ -79,7 +89,11 @@ if [ -z "$PORT" ]; then fi PORT= while [ -z "$PORT" ] || ss -aun |grep -e ":$PORT\>" >/dev/null; do - PORT=$((16384+RANDOM)) + if [ -z "$LOWPORT" ]; then + PORT=$((16384+RANDOM)) + else + PORT=$((512+(RANDOM>>6) )) + fi done fi [ "$VERBOSE" ] && echo "# $0: Using UDP port $PORT" >&2 diff --git a/socat-mux.sh b/socat-mux.sh index 1d7e0de..084c0e6 100755 --- a/socat-mux.sh +++ b/socat-mux.sh @@ -72,9 +72,19 @@ esac if [ -z "$SOCAT" ]; then SOCAT=socat; fi [ "$VERBOSE" ] && echo "# $0: Using executable $SOCAT" >&2 +# When run as root we try low ports +LOWPORT= +PATTERN=bound +if [ "$(id -u)" = 0 ]; then + LOWPORT="lowport" + PATTERN="successfully prepared local socket" +fi + # We need two free UDP ports (on loopback) -PORT1=$($SOCAT -d -d -T 0.000001 UDP4-RECV:0 /dev/null 2>&1 |grep bound |sed 's/.*:\([1-9][0-9]*\)$/\1/') -PORT2=$($SOCAT -d -d -T 0.000001 UDP4-RECV:0 /dev/null 2>&1 |grep bound |sed 's/.*:\([1-9][0-9]*\)$/\1/') +if [ -z "$LOWPORT" ]; then + PORT1=$($SOCAT -d -d -T 0.000001 UDP4-RECV:0 /dev/null 2>&1 |grep "$PATTERN" |sed 's/.*:\([1-9][0-9]*\)$/\1/') + PORT2=$($SOCAT -d -d -T 0.000001 UDP4-RECV:0 /dev/null 2>&1 |grep "$PATTERN" |sed 's/.*:\([1-9][0-9]*\)$/\1/') +fi if [ -z "$PORT1" -o -z "$PORT2" ]; then # Probably old Socat version, use a different approach if type ss >/dev/null 2>&1; then @@ -87,8 +97,13 @@ if [ -z "$PORT1" -o -z "$PORT2" ]; then fi PORT1= PORT2= while [ -z "$PORT1" -o -z "$PORT2" -o "$PORT1" = "$PORT2" ] || ss -aun |grep -e ":$PORT1\>" -e ":$PORT2\>" >/dev/null; do - PORT1=$((16384+RANDOM)) - PORT2=$((16384+RANDOM)) + if [ -z "$LOWPORT" ]; then + PORT1=$((16384+RANDOM)) + PORT2=$((16384+RANDOM)) + else + PORT1=$((512+(RANDOM>>6) )) + PORT2=$((512+(RANDOM>>6) )) + fi done fi [ "$VERBOSE" ] && echo "# $0: Using UDP ports $PORT1, $PORT2" >&2