On 12/02/15 22:06, Peter Eckersley wrote:
On Wed, Dec 02, 2015 at 12:01:04PM -0500, Phillip Hallam-Baker wrote:
Again, I think you are missing the real problem here. Let us say we have a
new protocol to run over port 666 that is actually a Web service under the
covers.
Hosting provider has a host that supports the following Web Sites that
belong to different parties:
example.com
malicious.com
The hosting provider allows any form of executable to run on the host
(10.6.6.6) that does not interfere with apache which has 80 & 443 reserved.
[This is typical]
Are there any typical hosting environments in which such executables can
bind to port 666, while being unable to tear down and replace the
service that's bound of 443? What are they?
While I don't know of any hosting environment, typical or otherwise,
that does this it is possible to setup such an environment in Solaris
and Linux. In Linux you would do this using SELinux type enforcement
policy to control which ports can be bound to. In Solaris it is as
simple as granting the process the privilege {net_privaddr}:666/tcp that
process could then listen on port 666 tcp but not 443.
If anything it is more likely to be used to constrain the webserver to
only be able to listen on 80 and 443 and not on other ports < 1024.
--
Darren J Moffat
_______________________________________________
Acme mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/acme
