• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: determining if connection is local
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: determining if connection is local

  • Subject: Re: determining if connection is local
  • From: Douglas Davidson <email@hidden>
  • Date: Thu, 25 Sep 2003 16:16:18 -0700
On Thursday, September 25, 2003, at 02:44 PM, Quinn wrote:

Finally, I'm kinda paranoid about network security so, if I was writing this, I would write the server as follows.

o Use a Unix domain socket for local communications. This guarantees that local requests are coming from the local machine.

o Use a TCP socket for network requests.

Thus, if the user has disabled remote access, you can disable the TCP listener and you're guaranteed to be safe. The only drawback is a little more complexity, but IMHO (and remember, I'm paranoid) it's worth the effort.

They say you're not paranoid if someone really is out to get you. In network security, you can usually assume that someone is out to get you, so my vote is with Quinn, and here's a story to tell you why.

There's a set of protocols called Sun RPC, and associated with them is a little daemon called the portmapper that maps between protocol numbers and the ports they're running on. One other little thing this daemon does: it supports broadcast communications by forwarding certain requests directly to the appropriate server.

There was one such service once that differentiated for security purposes between requests by examining various characteristics of the packets. This worked just fine in most cases--until it was noticed that you could also get these requests to be forwarded to the server by the portmapper. The portmapper is a local process running as root, so you can guess what the service thought about the requests it forwarded--it thought they were requests coming from the local root user, no matter where they came from originally. Oops.

Douglas Davidson
_______________________________________________
macnetworkprog mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/macnetworkprog
Do not post admin requests to the list. They will be ignored.
References: 
 >Re: determining if connection is local (From: Quinn <email@hidden>)

  • Prev by Date: Raw Socket Conflicts
  • Next by Date: Re: determining if connection is local
  • Previous by thread: Re: determining if connection is local
  • Next by thread: Re: determining if connection is local
  • Index(es):
    • Date
    • Thread