install -o root -g root -m 755 -s authbind $(bin_dir)/.
install -o root -g root -m 755 $(LIBTARGET) $(lib_dir)/.
strip --strip-unneeded $(lib_dir)/$(LIBTARGET)
- ln -s $(LIBTARGET) $(lib_dir)/$(LIBCANON)
+ ln -sf $(LIBTARGET) $(lib_dir)/$(LIBCANON)
install -o root -g root -m 4755 -s helper $(lib_dir)/.
install -o root -g root -m 755 -d $(etc_dir) \
$(etc_dir)/byport $(etc_dir)/byaddr $(etc_dir)/byuid
of exactly the right length (8 and 4 digits, respectively), being
a pairs of hex digits for each byte in the address or port number when
expressed in network byte order.
+.PP
+.B helper
+will not bind to ports 512 and onwards, because programs like
+.B rshd
+expect these to be used for outgoing connections, so allowing a user
+to bind to one of these would open up security hole(s).
.SH EXIT STATUS
.B helper
will exit with code 0 on success.
will set up some environment variables, including an
.BR LD_PRELOAD ,
which will allow the program (including any subprocesses it may run)
-to bind to low-numbered (<1024) ports if the system is configured to
+to bind to low-numbered (<512) ports if the system is configured to
allow this.
.SH ACCESS CONTROL
Access to low numbered ports is controlled by permissions and contents
signal to be delivered. Programs should not rely on standard
libraries not doing these things.
.PP
+Ports from 512 to 1023 inclusive cannot be used with
+.B authbind
+because that would create a security hole, in conjection with
+.BR rshd .
+.PP
The access control configuration scheme is somewhat strange.
.SH FILES AND ENVIRONMENT VARIABLES
.TP
-authbind (1.0-1) experimental; urgency=low
+authbind (1.0) experimental; urgency=low
* Following testing, we can call this 1.0.
if (argc != 3) badusage();
addr= strtoul(argv[1],&ep,16); if (*ep || addr&~0x0ffffffffUL) badusage();
port= strtoul(argv[2],&ep,16); if (*ep || port&~0x0ffffUL) badusage();
+ if (port >= IPPORT_RESERVED/2) _exit(EPERM);
if (chdir(CONFIGDIR)) perrorfail("chdir " CONFIGDIR);
int status;
if (addr->sa_family != AF_INET || addrlen != sizeof(struct sockaddr_in) ||
- ntohs(((struct sockaddr_in*)addr)->sin_port) >= 1024 || !geteuid())
+ ntohs(((struct sockaddr_in*)addr)->sin_port) >= IPPORT_RESERVED/2 || !geteuid())
return old_bind(fd,addr,addrlen);
if (getenv(AUTHBIND_NESTED_VAR)) {