Guile security vulnerability w/ listening on localhost + port

We can manage permissions to unix sockets pretty well using file system-based access control rules. Of course file system permissions are based on UID and within a user account it's usually 'anything goes'.. that is the web browser has the same rights and privileges to the file system that the user running it has. SELinux is useful here, but painful.

With internet sockets the only real rule, most of the time, is 'need to be root to create socket numbered lower then 1024'. And that's pretty much it. Otherwise anything can do anything. I suppose you could use iptables, but that is also really painful unless you are running some very static setup.

Android is a bit more robust in this regard because each application ends up running as a different UID and has some basic provisioning for internal controls via privileges based around traditional Unix group membership and standardized application APIs. Not too useful for normal Linux installs unless you want to rewrite every application, unfortunately.

The solution seems to be, at this point, is to use container-style namespace-based sandboxing. That way you can run applications with a sort of 'need to know' approach without having to modify the applications themselves (much). If applications don't 'need to know' about sockets (internet, unix or otherwise) they won't ever be able to see them. If they can't ever see them then it's going to be a lot more difficult to do something malicious with them.

https://blog.lizzie.io/exploiting-CVE-2016-8606.html indicates no DNS rebinding is needed, you can use XMLHttpRequest to send an HTTP GET request with an attacker-controlled URL (containing some Guile code) directly to localhost. The web's security model assumes that GET requests will cause no harmful side-effects, so it's safe to send arbitrary GETs to arbitrary hosts. (It does assume they might return confidential information, so (by default) CORS will prevent an attacker seeing the response, but it will still happily send the request first.)

I don't see why XMLHttpRequest would be needed here either - a simple <img src="http://localhost:37146/?attack-code"> or <a href="http://localhost:37146/?attack-code">click me to learn about an important security vulnerability</a> sounds like it ought to work just as well in this case, with no scripting involved. That's why the web's security model makes those assumptions about GETs - it's been trivial to send arbitrary GET requests since the very beginning of the web (before anyone cared about security), so everyone writing servers should already be aware of that. But people writing non-HTTP servers may still be quite surprised that attackers can send HTTP requests to them, and they may foolishly believe in Postel's law and accept those unexpected requests.

It's NOT really a vulnerability, but to the ignorant it can look like one.

I know that there are some tasks to solve. How to upload a file to the internet? The user prefers, not having to copy the file to the browsers container before. But there should be a way such that the browser can access the file open dialog from the desktop environment and then get a fd back.

The kernel should be roughly at a point, where this works. The userspace is not. Creation of containers for user applications would need to be (almost) transparent to the user.

OTOH, non-buggy programs do not access data-driven file paths, so access to a file (or a UNIX socket) can be more safely treated as authority.

Of course, on multi-user systems localhost was never safe and programs like guile should expect to be running on a multi-user system and make the default configuration safe.