X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?a=blobdiff_plain;ds=sidebyside;f=authbind.1;h=2b372eaf08396cf2c5bc5e6af200e35e88999404;hb=59d14c88d280ffc962ee93e535ae87567316c544;hp=a7bb5b54ac7960cf244aa83dab7949d65c7ec155;hpb=ced277da933eb4aeb199ee534cfe9a15804061cc;p=authbind.git diff --git a/authbind.1 b/authbind.1 index a7bb5b5..2b372ea 100644 --- a/authbind.1 +++ b/authbind.1 @@ -23,8 +23,8 @@ .SH NAME authbind \- bind sockets to privileged ports without root .SH SYNOPSIS -.BI authbind " program" -.RI [ argument " ...]" +.BR authbind +.RI [ options "] " program " [" argument " ...]" .SH DESCRIPTION .B authbind allows a program which does not or should not run as root to bind to @@ -37,6 +37,28 @@ will set up some environment variables, including an which will allow the program (including any subprocesses it may run) to bind to low-numbered (<512) ports if the system is configured to allow this. +.SH OPTIONS +.TP +.B --deep +Normally, +.B authbind +arranges for only the program which it directly invokes to be affected +by its special version of +.BR bind (2). +If you specify +.B --deep +then all programs which that program invokes directly or indirectly +will be affected, so long as they do not unset the environment +variables set up by +.BR authbind . +.TP +.BI --depth " levels" +Causes +.B authbind +to affect programs which are +.I levels +deep in the calling graph. The default is +.BR "--depth 1" . .SH ACCESS CONTROL Access to low numbered ports is controlled by permissions and contents of files in a configuration area, @@ -168,6 +190,13 @@ makes an installation specific to a particular C library. This version is for GNU/Linux libc6 (glibc2). .PP +.B authbind +may not operate correctly with multithreaded programs. It is +inherently very difficult (if not impossible) to perform the kind of +trickery that authbind does while preventing all undesirable +interactions between authbind's activities and those of (say) a +threading runtime system. +.PP It is quite possible that .B authbind and other programs and facilities which use @@ -183,7 +212,11 @@ means in this context). .B authbind is ineffective with setuid programs, because they do not honour .B LD_PRELOAD -for security reasons. Of course a setuid-root program does not need +references outside the system directories, for security reasons. (In +fact, setuid programs should not honour +.B LD_PRELOAD +at all.) +Of course a setuid-root program does not need .BR authbind , but it might be useful to apply it to program which are setuid to another user or setgid. If the author or builder of such a programs @@ -231,16 +264,31 @@ If set, forces .B authbind to use its value as the path to the shared library to put in .BR LD_PRELOAD , -instead of the compiled-in value. +instead of the compiled-in value. In any case, unless +.B --deep +was specified, +.B authbind +will set this variable to the name of the library actually added to +.BR LD_PRELOAD , +so that the library can find and remove the right entry. .TP -.I AUTHBIND_NESTED -Do not set this variable. It is set to -.B 1 -by -.B libauthbind -when it invokes the helper program. This allows detection of the -situation where the helper has not been installed setuid, which would -otherwise lead to infinite recursion. +.I AUTHBIND_LEVELS +This variable is set by +.B authbind +to the number of levels left from the +.B --depth +or +.B --deep +option, minus one. It is decremented during +.B _init +by the library on each program call, and the library will remove +itself from the +.B LD_PRELOAD +when it reaches zero. The special value +.B y +means +.B --deep +was specified. .SH SEE ALSO .BR bind (2), .BR authbind\-helper (8),