IETF Logo Mail Archive

Re: [Acme] Server on >= 1024 port

Darren J Moffat <Darren.Moffat@Oracle.COM> Thu, 03 December 2015 09:32 UTC

Return-Path: <Darren.Moffat@Oracle.COM>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF27F1A8A20 for <acme@ietfa.amsl.com>; Thu, 3 Dec 2015 01:32:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4MJdh-_Vy06X for <acme@ietfa.amsl.com>; Thu, 3 Dec 2015 01:32:09 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2DBC1A8A6C for <acme@ietf.org>; Thu, 3 Dec 2015 01:32:09 -0800 (PST)
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id tB39Vteo006354 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 3 Dec 2015 09:31:55 GMT
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by aserv0021.oracle.com (8.13.8/8.13.8) with ESMTP id tB39Vsi1022201 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 3 Dec 2015 09:31:54 GMT
Received: from abhmp0011.oracle.com (abhmp0011.oracle.com [141.146.116.17]) by userv0122.oracle.com (8.13.8/8.13.8) with ESMTP id tB39VrbI024989; Thu, 3 Dec 2015 09:31:53 GMT
Received: from [10.163.198.80] (/10.163.198.80) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 03 Dec 2015 01:31:53 -0800
Message-ID: <56600C06.6070301@Oracle.COM>
Date: Thu, 03 Dec 2015 09:31:50 +0000
From: Darren J Moffat <Darren.Moffat@Oracle.COM>
Organization: Oracle Solaris Security
User-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Peter Eckersley <pde@eff.org>, Phillip Hallam-Baker <phill@hallambaker.com>
References: <565589E4.2030107@desy.de> <565EBF56.3070502@desy.de> <D836A378-DA88-4AAF-B1E4-F34A80319DC1@gmail.com> <e9092589f3204a449af8b6f900be1303@usma1ex-dag1mb1.msg.corp.akamai.com> <CAL02cgQPZrx5d1xO-xKEQrV+pZKLkhYW_XDSm=QM8THs__s5qQ@mail.gmail.com> <CAMm+LwiqfYH-Vt7L2OSyLTNWzPSYBO-qxhjHege2jFqOnPtxjQ@mail.gmail.com> <20151202220603.GB18430@eff.org>
In-Reply-To: <20151202220603.GB18430@eff.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Source-IP: aserv0021.oracle.com [141.146.126.233]
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/-EeUlRKw6v-SG_9gkAArH4P-ppY>
Cc: Richard Barnes <rlb@ipv.sx>, Paul Millar <paul.millar@desy.de>, "acme@ietf.org" <acme@ietf.org>, Yoav Nir <ynir.ietf@gmail.com>, "Salz, Rich" <rsalz@akamai.com>
Subject: Re: [Acme] Server on >= 1024 port
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2015 09:32:16 -0000


On 12/02/15 22:06, Peter Eckersley wrote:
> On Wed, Dec 02, 2015 at 12:01:04PM -0500, Phillip Hallam-Baker wrote:
>>
>> Again, I think you are missing the real problem here. Let us say we have a
>> new protocol to run over port 666 that is actually a Web service under the
>> covers.
>>
>> Hosting provider has a host that supports the following Web Sites that
>> belong to different parties:
>>
>> example.com
>> malicious.com
>>
>> The hosting provider allows any form of executable to run on the host
>> (10.6.6.6) that does not interfere with apache which has 80 & 443 reserved.
>> [This is typical]
>
> Are there any typical hosting environments in which such executables can
> bind to port 666, while being unable to tear down and replace the
> service that's bound of 443?  What are they?

While I don't know of any hosting environment, typical or otherwise, 
that does this it is possible to setup such an environment in Solaris 
and Linux.  In Linux you would do this using SELinux type enforcement 
policy to control which ports can be bound to.  In Solaris it is as 
simple as granting the process the privilege {net_privaddr}:666/tcp that 
process could then listen on port 666 tcp but not 443.

If anything it is more likely to be used to constrain the webserver to 
only be able to listen on 80 and 443 and not on other ports < 1024.

-- 
Darren J Moffat

v2.23.0 | Report a Bug | By Email