X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=authbind.git;a=blobdiff_plain;f=authbind.1;h=d73e998990a92e6139d5c2ef6165f7aaac8e0569;hp=4376a53e4399a07cd51410e9cda6ab8133bc636c;hb=9d4eb04ba356aac58d96bbb2bdf81bd69ba68122;hpb=4fb8dbb04eb972be4957cdc573b7e9ef0e8ca84a diff --git a/authbind.1 b/authbind.1 index 4376a53..d73e998 100644 --- a/authbind.1 +++ b/authbind.1 @@ -139,8 +139,24 @@ will fail with .B ENOENT .RI ( "No such file or directory" ). .PP +If a read error occurs, or the directory +.B /etc/authbind +cannot be accessed, then not only will +.B bind +fail, but an error message will be printed to stderr. Unrecognised +lines in +.BI /etc/authbind/byuid/ uid +files are silently ignored, as are lines whose +.I addr +has non-zero bits more than +.I length +from the top or where some +.I min +is larger than +.IR max . +.SH EXAMPLE So for example an attempt by uid 432 -to bind to [2620:106:e002:f00f::21]:80 +to bind to port 80 of address [2620:106:e002:f00f::21] would result in authbind calling .I access(2) on, in order, @@ -162,29 +178,15 @@ the relevant access; examples of lines which would do so are: .br .B ::/0,80 .RE -.PP -If a read error occurs, or the directory -.B /etc/authbind -cannot be accessed, then not only will -.B bind -fail, but an error message will be printed to stderr. Unrecognised -lines in -.BI /etc/authbind/byuid/ uid -files are silently ignored (as are lines whose -.I addr -has non-zero bits more than -.I length -from the top) or where some -.I min -is larger than -.IR max . -.PP +.SH PORTS 512-1023 Authorising binding to ports from 512 to 1023 inclusive is not recommended. Some protocols (including some versions of NFS) authorise clients by seeing that they are using a port number in this range. So by authorising a program to be a server for such a port, you are also authorising it to impersonate the whole host for those -protocols. To make sure that this isn't done by accident, +protocols. + +To make sure that this isn't done by accident, if the port number requested is in the range 512-1023, authbind will expect the permission files to have an additional .B !