Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is it possible to listen on unix socket? #675

Open
singpolyma opened this issue Dec 5, 2021 · 2 comments
Open

Is it possible to listen on unix socket? #675

singpolyma opened this issue Dec 5, 2021 · 2 comments

Comments

@singpolyma
Copy link
Contributor

Most of my web apps listen on unix socket instead of INET port number, can gitit do that? Just gitit -l /tmp/thing.sock did not work.
@jgm
Copy link
Owner

jgm commented Dec 5, 2021

Not at present.

@trentbuck
Copy link

Related: systemd socket activation (i.e. gitit.socket) would Just WorkTM if gitit can be made to use an already-open file descriptor 3, instead of opening its own TCP listener. This would let systemd-analyze security be used to harden the gitit namespace even to the point where TCP/IP are blocked!

Here is a janky web app being locked down heavily (and then nginx reverse-proxies it): https://github.com/trentbuck/collection4/blob/main/debian/service#L15-L44

(Of course, even gitit as-is you can do most of this lockdown -- and you would still need TCP/IP if you wanted gitit to be able to send password reset emails, because fork+exec'ing /usr/sbin/sendmail runs it in the same systemd "slice" as gitit.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jgm @singpolyma @trentbuck