关于 Socket 的安全问题
今天看了些资料,了解了下 Socket 的安全问题,特别是端口复用方面。
首先,微软从2003后就开始增强服务器操作系统的安全性
比如,在03之前的操作系统中,只要第一个 Socket 不设置 SO_EXCLUSIVEADDRUSE,那么第二个 Socket 做 Bind 使用 SO_REUSEADDR 都会成功。
First bind call | Second bind call | ||||||
---|---|---|---|---|---|---|---|
Default | SO_REUSEADDR | SO_EXCLUSIVEADDRUSE | |||||
Wildcard | Specific | Wildcard | Specific | Wildcard | Specific | ||
Default | Wildcard | INUSE | INUSE | Success | Success | INUSE | INUSE |
Specific | INUSE | INUSE | Success | Success | INUSE | INUSE | |
SO_REUSEADDR | Wildcard | INUSE | INUSE | Success | Success | INUSE | INUSE |
Specific | INUSE | INUSE | Success | Success | INUSE | INUSE | |
SO_EXCLUSIVEADDRUSE | Wildcard | INUSE | INUSE | ACCESS | ACCESS | INUSE | INUSE |
Specific | INUSE | INUSE | ACCESS | ACCESS | INUSE | INUSE |
而03之后,包括03,却是如下结果:
First bind call | Second bind call | ||||||
---|---|---|---|---|---|---|---|
Default | SO_REUSEADDR | SO_EXCLUSIVEADDRUSE | |||||
Wildcard | Specific | Wildcard | Specific | Wildcard | Specific | ||
Default | Wildcard | INUSE | Success | ACCESS | Success | INUSE | Success |
Specific | Success | INUSE | Success | Success | INUSE | INUSE | |
SO_REUSEADDR | Wildcard | INUSE | Success | Success | ACCESS | INUSE | Success |
Specific | Success | INUSE | Success | Success | INUSE | INUSE | |
SO_EXCLUSIVEADDRUSE | Wildcard | INUSE | ACCESS | ACCESS | ACCESS | INUSE | ACCESS |
Specific | Success | INUSE | Success | ACCESS | INUSE | INUSE |
对于不同账号创建的进程,又是如下的结果:
First bind call | Second bind call | ||||||
---|---|---|---|---|---|---|---|
Default | SO_REUSEADDR | SO_EXCLUSIVEADDRUSE | |||||
Wildcard | Specific | Wildcard | Specific | Wildcard | Specific | ||
Default | Wildcard | INUSE | ACCESS | ACCESS | ACCESS | INUSE | ACCESS |
Specific | Success | INUSE | Success | ACCESS | INUSE | INUSE | |
SO_REUSEADDR | Wildcard | INUSE | ACCESS | Success | Success | INUSE | ACCESS |
Specific | Success | INUSE | Success | Success | INUSE | INUSE | |
SO_EXCLUSIVEADDRUSE | Wildcard | INUSE | ACCESS | ACCESS | ACCESS | INUSE | ACCESS |
Specific | Success | INUSE | Success | ACCESS | INUSE | INUSE |