Is it possible to listen on unix socket?

Question

Is it possible to listen on unix socket?

Opened this issue 3 years ago · 2 comments

Most of my web apps listen on unix socket instead of INET port number, can gitit do that? Just gitit -l /tmp/thing.sock did not work.

Answer 1 · 2021-12-05T06:54:09.000Z

Not at present.

Answer 2 · 2022-09-09T08:32:23.000Z

Related: systemd socket activation (i.e. gitit.socket) would Just WorkTM if gitit can be made to use an already-open file descriptor 3, instead of opening its own TCP listener. This would let systemd-analyze security be used to harden the gitit namespace even to the point where TCP/IP are blocked!

Here is a janky web app being locked down heavily (and then nginx reverse-proxies it): https://github.com/trentbuck/collection4/blob/main/debian/service#L15-L44

(Of course, even gitit as-is you can do most of this lockdown -- and you would still need TCP/IP if you wanted gitit to be able to send password reset emails, because fork+exec'ing /usr/sbin/sendmail runs it in the same systemd "slice" as gitit.)