(any protocol) or failing that
.BI /etc/authbind/byaddr/ addr : port
(IPv4 only)
-is tested, in the same manner as above. (Here
+is tested, in the same manner as above. Here
.I addr
is as from
-.BR inet_ntop .)
+.BR inet_ntop ,
+and
+.I port
+is the (local) TCP or UDP port number, expressed as an unsigned
+integer in the minimal non-zero number of digits.
+.PP
+Thirdly, for IPv6 only: since the textual representation from
+.B inet_ntop
+is complicated to predict, a variant of
+.I addr
+is also tested which does not use the double colon abbreviation:
+each 16-byte chunk expressed in the minimal nonzero number
+of hex digits (i.e. with leading zeroes removed), the chunks
+being separated by colons as is conventional.
.PP
-Thirdly, if the question is still unresolved, the file
+Fourthly, if the question is still unresolved, the file
.BI /etc/authbind/byuid/ uid
will be opened and read. If the file does not exist then the binding
is not authorised and
.RI ( "Operation not permitted" ", or " "Not owner" ).
If the file does exist it will be searched for a line of the form
.nf
-.IR addrmin [\fB\-\fR addrmax ]\fB,\fR portmin \fB\-\fR portmax
+.IR addrmin [\fB\-\fR addrmax ]\fB,\fR portmin [\fB\-\fR portmax ]
+.IR addr [\fB/\fR length ]\fB,\fR portmin [\fB\-\fR portmax ]
.IB addr4 / length : portmin , portmax
.fi
matching the request.
The first form requires that the address lies in the
relevant range (inclusive at both ends).
-The second form requires that the initial
+The second and third forms require that the initial
.I length
bits of
.I addr
match those in the proposed
.B bind
-call and is only available for IPv4.
-Addresses can
-be in any form acceptable to inet_pton. In both cases
+call. The third form is only available for IPv4 since IPv6 addresses
+contain colons.
+Addresses in the byuid file can
+be in any form acceptable to inet_pton. In all cases
the proposed port number must lie is in the inclusive range
specified. If such a line is found then the binding is authorised.
Otherwise it is not, and
.B ENOENT
.RI ( "No such file or directory" ).
.PP
-In each case above,
-.TP
-.I port
-is the (local) TCP or UDP port number, expressed as an unsigned
-integer in the minimal non-zero number of digits, and
+So for example an attempt by uid 432
+to bind to [2620:106:e002:f00f::21]:80
+would result in authbind calling
+.I access(2)
+on, in order,
+.RS
+.B /etc/authbind/byport/80
+.br
+.B /etc/authbind/byaddr/2620:106:e002:f00f::21,80
+.br
+.B /etc/authbind/byaddr/2620:106:e002:f00f:0:0:0:21,80
+.RE
+If none of these files exist, authbind will read
+.RS
+.B /etc/authbind/byuid/432
+.RE
+and search for a line to permit
+the relevant access; examples of lines which would do so are:
+.RS
+.B 2620:106:e002:f00f::21,80
+.br
+.B ::/0,80
+.RE
.PP
If a read error occurs, or the directory
.B /etc/authbind
lines in
.BI /etc/authbind/byuid/ uid
files are silently ignored (as are lines whose
-.I addr4
+.I addr
has non-zero bits more than
.I length
-from the top) or where
+from the top) or where some
.I min
is larger than
.IR max .
~ian / authbind.git / blobdiff