Aptly API over Unix Sockets


Last week I’ve added a bunch of code to enable use of Aptly’s API over Unix domain sockets.

Aptly is a Debian repository management software we use for KDE neon‘s deb repository. It is one of the more popular software for repo management as it is easy to deploy and features a handy REST API.

One of the more annoying shortcomings of Aptly’s API is the fact that it has no authentication mechanism. This makes using the API from remote hosts a fairly unwieldy affair as you first have to harden the beast.

Your options are basically limited to either run Apache (or some other HTTP server) that proxies Aptly’s API and adds HTTPAuth to it, or you pipe everything through SSH. Both of which are fine solutions, but they hide a fairly awkward security problem.

Aptly would be listening to a port on localhost and the lack of access control means that if any user gets compromised the Aptly instance is effectively compromised as well. It also means that if you do not read the documentation and explicitly set Aptly to listen on localhost only, you end up with a publicly writable Aptly instance. Ugh.

There is a really simple way out though: listening to a Unix domain socket rather than a TCP socket. Unix sockets are pseudo-files and therefore file access control applies. This makes access control easy to manage through the system’s user/group/all permissions of the socket file.

srw-rw----  1 user group    0 Mar  6 14:23 aptly.sock

Making use of this is super easy too!

Socket Listening

Aptly API’s serve invocation now supports a URI scheme for Unix sockets.

aptly api serve -listen="unix://tmp/aptly.sock"

This will (re)create a Unix domain socket at the defined path and listen to it.


Using this you can restrict full access to the API service down to a user level. More fine-grained control still needs a frontend add-on such as an HTTP server with HTTPAuth, but for most purposes a per-user access control should be sufficient and vastly more secure than the previous TCP socket binding.

With OpenSSH’s direct-streamlocal@openssh.com SSH protocol extension you can then even communicate with a remote Aptly instance through a forwarded socket.

To enable myself to use this I’ve also added support for this to the Ruby net/ssh gem and my aptly-api gem.

Using latest master of everything involved we can now serve the API on a socket and then access that remotely via SSH like so:

require 'aptly'
require 'net/ssh'

Thread.new do
  Net::SSH.start('remotehost', 'user') do |ssh|
    ssh.forward.local_socket('/tmp/local.sock', '/home/user/aptly.sock')
    loop { ssh.process(0.1) }

sleep 2 # wait for open

Aptly.configure do |c|
  c.uri = URI.parse('unix:///tmp/local.sock')

Lovely, isn’t it?


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s