Re: [Acme] Server on >= 1024 port
Darren J Moffat <Darren.Moffat@Oracle.COM> Thu, 03 December 2015 09:32 UTC
Return-Path: <Darren.Moffat@Oracle.COM>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF27F1A8A20 for <acme@ietfa.amsl.com>; Thu, 3 Dec 2015 01:32:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4MJdh-_Vy06X for <acme@ietfa.amsl.com>; Thu, 3 Dec 2015 01:32:09 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2DBC1A8A6C for <acme@ietf.org>; Thu, 3 Dec 2015 01:32:09 -0800 (PST)
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id tB39Vteo006354 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 3 Dec 2015 09:31:55 GMT
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by aserv0021.oracle.com (8.13.8/8.13.8) with ESMTP id tB39Vsi1022201 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 3 Dec 2015 09:31:54 GMT
Received: from abhmp0011.oracle.com (abhmp0011.oracle.com [141.146.116.17]) by userv0122.oracle.com (8.13.8/8.13.8) with ESMTP id tB39VrbI024989; Thu, 3 Dec 2015 09:31:53 GMT
Received: from [10.163.198.80] (/10.163.198.80) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 03 Dec 2015 01:31:53 -0800
Message-ID: <56600C06.6070301@Oracle.COM>
Date: Thu, 03 Dec 2015 09:31:50 +0000
From: Darren J Moffat <Darren.Moffat@Oracle.COM>
Organization: Oracle Solaris Security
User-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Peter Eckersley <pde@eff.org>, Phillip Hallam-Baker <phill@hallambaker.com>
References: <565589E4.2030107@desy.de> <565EBF56.3070502@desy.de> <D836A378-DA88-4AAF-B1E4-F34A80319DC1@gmail.com> <e9092589f3204a449af8b6f900be1303@usma1ex-dag1mb1.msg.corp.akamai.com> <CAL02cgQPZrx5d1xO-xKEQrV+pZKLkhYW_XDSm=QM8THs__s5qQ@mail.gmail.com> <CAMm+LwiqfYH-Vt7L2OSyLTNWzPSYBO-qxhjHege2jFqOnPtxjQ@mail.gmail.com> <20151202220603.GB18430@eff.org>
In-Reply-To: <20151202220603.GB18430@eff.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Source-IP: aserv0021.oracle.com [141.146.126.233]
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/-EeUlRKw6v-SG_9gkAArH4P-ppY>
Cc: Richard Barnes <rlb@ipv.sx>, Paul Millar <paul.millar@desy.de>, "acme@ietf.org" <acme@ietf.org>, Yoav Nir <ynir.ietf@gmail.com>, "Salz, Rich" <rsalz@akamai.com>
Subject: Re: [Acme] Server on >= 1024 port
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2015 09:32:16 -0000
On 12/02/15 22:06, Peter Eckersley wrote: > On Wed, Dec 02, 2015 at 12:01:04PM -0500, Phillip Hallam-Baker wrote: >> >> Again, I think you are missing the real problem here. Let us say we have a >> new protocol to run over port 666 that is actually a Web service under the >> covers. >> >> Hosting provider has a host that supports the following Web Sites that >> belong to different parties: >> >> example.com >> malicious.com >> >> The hosting provider allows any form of executable to run on the host >> (10.6.6.6) that does not interfere with apache which has 80 & 443 reserved. >> [This is typical] > > Are there any typical hosting environments in which such executables can > bind to port 666, while being unable to tear down and replace the > service that's bound of 443? What are they? While I don't know of any hosting environment, typical or otherwise, that does this it is possible to setup such an environment in Solaris and Linux. In Linux you would do this using SELinux type enforcement policy to control which ports can be bound to. In Solaris it is as simple as granting the process the privilege {net_privaddr}:666/tcp that process could then listen on port 666 tcp but not 443. If anything it is more likely to be used to constrain the webserver to only be able to listen on 80 and 443 and not on other ports < 1024. -- Darren J Moffat
- [Acme] Server on >= 1024 port Paul Millar
- Re: [Acme] Server on >= 1024 port moparisthebest
- Re: [Acme] Server on >= 1024 port Eric Rescorla
- Re: [Acme] Server on >= 1024 port moparisthebest
- Re: [Acme] Server on >= 1024 port Roland Zink
- Re: [Acme] Server on >= 1024 port Martin Thomson
- Re: [Acme] Server on >= 1024 port Paul Millar
- Re: [Acme] Server on >= 1024 port Randy Bush
- Re: [Acme] Server on >= 1024 port Yoav Nir
- Re: [Acme] Server on >= 1024 port Yoav Nir
- Re: [Acme] Server on >= 1024 port Rob Stradling
- Re: [Acme] Server on >= 1024 port Stephen Farrell
- Re: [Acme] Server on >= 1024 port Rob Stradling
- Re: [Acme] Server on >= 1024 port Paul Millar
- Re: [Acme] Server on >= 1024 port Phillip Hallam-Baker
- Re: [Acme] Server on >= 1024 port Yoav Nir
- Re: [Acme] Server on >= 1024 port Salz, Rich
- Re: [Acme] Server on >= 1024 port Richard Barnes
- Re: [Acme] Server on >= 1024 port Niklas Keller
- Re: [Acme] Server on >= 1024 port Ted Hardie
- Re: [Acme] Server on >= 1024 port Salz, Rich
- Re: [Acme] Server on >= 1024 port Phillip Hallam-Baker
- Re: [Acme] Server on >= 1024 port Phillip Hallam-Baker
- Re: [Acme] Server on >= 1024 port Romain Fliedel
- Re: [Acme] Server on >= 1024 port Ted Hardie
- Re: [Acme] Server on >= 1024 port Phillip Hallam-Baker
- Re: [Acme] Server on >= 1024 port Romain Fliedel
- Re: [Acme] Server on >= 1024 port Phillip Hallam-Baker
- Re: [Acme] Server on >= 1024 port Peter Eckersley
- Re: [Acme] Server on >= 1024 port Peter Eckersley
- Re: [Acme] Server on >= 1024 port Peter Eckersley
- Re: [Acme] Server on >= 1024 port James Cloos
- Re: [Acme] Server on >= 1024 port Richard Barnes
- Re: [Acme] Server on >= 1024 port Phillip Hallam-Baker
- Re: [Acme] Server on >= 1024 port Peter Eckersley
- Re: [Acme] Server on >= 1024 port James Cloos
- Re: [Acme] Server on >= 1024 port Eric Rescorla
- Re: [Acme] Server on >= 1024 port Niklas Keller
- Re: [Acme] Server on >= 1024 port Randy Bush
- Re: [Acme] Server on >= 1024 port Eric Mill
- Re: [Acme] Server on >= 1024 port Darren J Moffat
- Re: [Acme] Server on >= 1024 port Rob Stradling
- Re: [Acme] Server on >= 1024 port Ángel González
- Re: [Acme] Server on >= 1024 port Vincent Lynch