Setting Up A Flash Socket Policy File

[3x-a-D3-u5]

Hi guys,

I recently got this request from a client who develops flash applications:

Is it possible for you to set the server up to serve a master policy file on port 843 for Flash. Please have a look at http://www.lightsphere.com/dev/artic...et_policy.html and http://www.adobe.com/devnet/flashpla...icy_files.html.

From what i understand i will be authorizing his applications as legit. I'm not sure if this is a great idea, as it could lead me as the host into problems. What do you think?

Below is some information from the website mentioned:

In earlier versions of Flash Player, if the server didn't have a socket policy, your Flash application could still connect. Now if there's no policy, your application will not connect.

When the Flash Player tries to make a connection, it checks in two places for the socket policy:

* Port 843. If you are the administrator of a webserver and you have root access, you can set up an application to listen on this port and return a server-wide socket policy.
* The destination port. If you're running your own xml server, you can configure it to send the socket policy file.

The Flash player always tries port 843 first; if there's no response after 3 seconds, then it tries the destination port.

In either case, when the Flash player makes a connection, it sends the following XML string to the server:
<policy-file-request/>

Your server then must send the following XML in reply:
<cross-domain-policy>
<allow-access-from domain="*" to-ports="*" />
</cross-domain-policy>

* is the wildcard and means "all ports/domains". If you want to restrict access to a particular port, enter the port number, or a list or range of numbers.

Since the Flash Player always tries port 843 first, if there's nothing listening on that port, then the Flash clients are going to experience a 3-second delay when trying to connect to your server. Even if you set up a policy file on the destination port, there will still be the delay. For fastest response times, you should set up a server-wide socket policy server on port 843.

[jasonhk]

Download the zip and take a look at the The Python daemon, it is probably the best solution.

To install the Python daemon located in the Python_init folder, it is necessary to have root privileges on the Linux machine. Similar to the xinetd scripts, the install.sh script will copy the Python file for the policy file server (flashpolicyd.py) to /usr/local/sbin as flashpolicyd. An init script will be copied into /etc/rc.d/init.d/ that supports basic "start","stop", and "restart" commands. The install.sh script will copy the flashpolicy.xml file to /usr/local/etc/. Finally, it will try to start the service and configure it to start automatically at boot time. The daemon will run as the user root and log to STDERR.

Basically upload the python_init to your serve, run the install, edit the files and start the server.

[3x-a-D3-u5]

Thanks Jason,

My question is more related to whether I should go ahead and install it. Are there any security risks?

[3x-a-D3-u5]

Any one got any thoughts about this? should you implement it? Or should I give them a small VPS?