Re: [squid-users] safe port

From: Adrian Chadd <adrian@dont-contact.us>
Date: Wed, 6 Mar 2002 00:54:57 -0700

On Tue, Mar 05, 2002, Adam Rice wrote:
> On Tue, Mar 05, 2002 at 12:10:14PM -0500, Chandrasekhar KRISHNAN wrote:
> > Why does Squid consider ports greater than 1024 safe, when it is easy to
> > abuse them (since a non-root user can bind on them)?
> >
> > I went through the discussions about the safe ports in the mailing list,
> > but couldn't find answer to this question. Any info will be appreciated.
>
> It depends on your definition of "safe". Most Squid administrators will be
> concerned about users using Squid to perform actions they would not normally
> have permission to do, by connecting to machines that have trust
> relationships with the Squid server. Usually security-critical applications
> run on ports < 1024, precisely because these are the ports that cannot be
> hijacked by non-root users. So "safe" in this context means ports that can
> be connected to without resulting in unintended privilege elivation.
>
> Of course, even port 80 can be unsafe if there happens to be an intranet web
> server that trusts the Squid server, but such things cannot be solved by the
> default config.
>
> Personally, I always configure my Squid servers to use a blacklist of unsafe
> ports, since that causes less user complaints about the vast armies of
> webservers running on non-standard port numbers, but then our servers aren't
> entangled in any complex trust relationships.

.. and please note that the safe ports apples to HTTP, _NOT_ HTTPS.
Clients can therefore send HTTP requests to high ports, but not requests
a HTTP CONNECT tunnel to a non-HTTPS port (port 443 and a couple
more in squid.conf.)

So I wouldn't be worried about the security implications - unless
your'e connecting to a server which you can exploit and takes a
http request, you're pretty safe.

Adrian
Received on Wed Mar 06 2002 - 00:54:58 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:06:43 MST