[stunnel-users] stunnel automatically listening to extra ports: BAD

Brian Hatch bri at stunnel.org
Fri Jan 11 23:11:04 CET 2008


Nigh 2008-01-11 17:06 -0500, Alan Pinstein pleaded:

> I don't know a lot about sockets programming, but I am not sure this  
> makes sense... I don't WANT stunnel to stop listening to those ports;  
> rather it shouldn't ever start. stunnel has a config file, so I'd  
> expect it to only listen to the ports it was told to listen to, which  
> is 4449.

Can you show us the code that is starting Stunnel?  Is it running as
the apache user?  Is it actually being started from apache itself?

If apache (the webserver daemon) is exec'ing Stunnel, it should be
closing those sockets.  If it's not, you'd still see them as LISTENable.
(Now, would stunnel accept on them?  I'd think not, because it's bound
4449 and only does listen() on that socket.

> But still I think that stunnel is actively listening on these ports.  
> Forked processed just don't inherit sockets from parents AFAIK....

google for 'close on exec'

> I suppose that I could just set it up in init.d to run on boot, but  
> was hoping to not have to deal with another initd process for ease of  
> management...

You're better off using init.d, honestly.  Else you might get more than
one stunnel trying to start up, all that logic to start or not start,
etc.


-- 
Brian Hatch                  "I jump from aircraft at 14000 feet
   Systems and                saying my chute always opens - so
   Security Engineer          I pee on jinxes."
http://www.ifokr.org/bri/    --Martin

Every message PGP signed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20080111/bb4afec5/attachment.sig>


More information about the stunnel-users mailing list