From 5d1e8cd3e057261c6db3fb3d7de39b7ca48efd3b Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 7 Feb 2024 13:19:54 +0100 Subject: [PATCH] units: enable MaxConnectionsPerSocket= for all our Accept=yes units Let's make sure that user's cannot DoS services for other users so easily, and enable MaxConnectionsPerSocket= by default for all of them. Note that this is mostly paranoia for systemd-pcrextend.socket and systemd-sysext.socket: the socket is only accessible to root anyway, hence the accounting shouldn#t change anything. But this is just a safety net, in preparation that we open up some functionality of these services sooner or later. --- units/systemd-coredump.socket | 1 + units/systemd-creds.socket | 1 + units/systemd-pcrextend.socket | 1 + units/systemd-sysext.socket | 1 + 4 files changed, 4 insertions(+) diff --git a/units/systemd-coredump.socket b/units/systemd-coredump.socket index a2d457fc02..c78eacd823 100644 --- a/units/systemd-coredump.socket +++ b/units/systemd-coredump.socket @@ -19,3 +19,4 @@ ListenSequentialPacket=/run/systemd/coredump SocketMode=0600 Accept=yes MaxConnections=16 +MaxConnectionsPerSource=8 diff --git a/units/systemd-creds.socket b/units/systemd-creds.socket index 65b76bd027..0f89b39c3e 100644 --- a/units/systemd-creds.socket +++ b/units/systemd-creds.socket @@ -18,3 +18,4 @@ ListenStream=/run/systemd/io.systemd.Credentials FileDescriptorName=varlink SocketMode=0666 Accept=yes +MaxConnectionsPerSource=16 diff --git a/units/systemd-pcrextend.socket b/units/systemd-pcrextend.socket index 7d156c1448..41db50acd8 100644 --- a/units/systemd-pcrextend.socket +++ b/units/systemd-pcrextend.socket @@ -20,6 +20,7 @@ ListenStream=/run/systemd/io.systemd.PCRExtend FileDescriptorName=varlink SocketMode=0600 Accept=yes +MaxConnectionsPerSource=16 [Install] WantedBy=sockets.target diff --git a/units/systemd-sysext.socket b/units/systemd-sysext.socket index ad870c5bfb..1a616ca69c 100644 --- a/units/systemd-sysext.socket +++ b/units/systemd-sysext.socket @@ -20,6 +20,7 @@ ListenStream=/run/systemd/io.systemd.sysext FileDescriptorName=varlink SocketMode=0600 Accept=yes +MaxConnectionsPerSource=16 [Install] WantedBy=sockets.target