systemd uucp.socket listens to all addresses

On Fri, May 22, 2020 at 08:33:39PM -0000, Tim Ritberg wrote:
> Systemd generator for converting xinetd services does not convert "bind =" to an equivalent.

Hello Tim, I'm having trouble finding a systemd xinetd generator; I can't
find it in our systemd source packages, our xinetd source packages, the
upstream systemd git repository on github, or any filenames known to
apt-file that have both systemd-generators and inet.

What exactly is providing the xinetd generator service?

Thanks

Hi Seth!

Because of security concerns, I removed this config. But I still can see my term history:

Service file was /run/systemd/generator.late/xinetd.service and other file /etc/systemd/system/sockets.target.wants/uucp.socket.

And there was a link /etc/systemd/system/sockets.target.wants/uucp.socket -> /lib/systemd/system/uucp.socket

Some messages during update from 18.04 to 20.04:
uucp (1.07-27build1) wird eingerichtet ...
Note: xinetd currently is not fully supported by update-inetd.
Please consult /usr/share/doc/xinetd/README.Debian and itox(8).
update-inetd: warning: cannot add service, /etc/inetd.conf does not exist
Created symlink /etc/systemd/system/sockets.target.wants/uucp.socket → /lib/systemd/system/uucp.socket.
Failed to get unit file state for uucp.service: No such file or directory
uucp.service is a disabled or a static unit not running, not starting it.
Job failed. See "journalctl -xe" for details.

And found this file: /var/lib/systemd/deb-systemd-helper-enabled/sockets.target.wants/uucp.socket

Maybe this hints could help.

Oh wow, where is my posting of day...

>
> What exactly is providing the xinetd generator service?
>

Somehow, I couldn't answer per webfromular. My input is gone...

Today I looked again and found this file:
uucp: /lib/systemd/system/uucp@.service

Maybe this file is fed into the systemd generator.

I got it: /lib/systemd/system/uucp.socket

"
[Unit]
Description=UUCP server activation socket

[Socket]
ListenStream=540
Accept=true

[Install]
WantedBy=sockets.target
"

Does not seem to be autogenerated. But it does not base on the xinetd config and therefore security settings are missng:

"
service uucp
{
        only_from = 0.0.0.0
        port = 540
        socket_type = stream
        protocol = tcp
        user = uucp
        server = /usr/sbin/uucico
        server_args = -I /etc/uucp/config -l
        type = UNLISTED
        wait = no
        bind = 0.0.0.0
}
"

Only_from and bind are important.

Thanks Tim for the extra details.

A quick summary:

- There's no systemd xinetd generator to create .socket and .service files involved

- The uucp package provides both a .socket and .service file for uucp with defaults that match the xinetd configuration.

- Indeed, the systemd unit file doesn't describe all the available options that *could* be set. This is intentional. Focal's systemd understands roughly 245 such options, eg:

$ systemctl show ssh | wc -l
245

Listing all of the available options would drastically hurt the legibility of the systemd unit files.

If you wish to change the interfaces it listens on, you can use systemctl edit uucp.socket to change the [Socket] ListenStream setting. I don't see any systemd setting that corresponds to only_from -- but you can use ufw or iptables to restrict access to specific ranges.

Thanks

Or delete this insecure systemd config and use Xinetd direct.

On Wed, May 27, 2020 at 04:22:03PM -0000, Tim Ritberg wrote:
> Or delete this insecure systemd config and use Xinetd direct.

The uucp-supplied xinetd configuration and systemd socket file are
identical: both bind to all addresses on the system.

If you want to run your uucp services on a specific address, you can do
so via either interface equally well.

Thanks