[preload-hacks] / noip.1

.de VS
.sp 1
.RS
.nf
.ft B
..
.de VE
.ft R
.fi
.RE
.sp 1
..
.TH noip 1 "5 May 2005" "Straylight/Edgeware" "Preload hacks"
.SH NAME
noip \- run programs without the ability to use IP sockets
.SH SYNOPSIS
.B noip
.RI [ command
.RI [ args ...]]
.SH DESCRIPTION
The
.B noip
program runs
.I command
(by default, the user's shell, as determined by the
.B SHELL
environment variable) in an environment where attempts to use TCP/IP
networking are (mostly) transparently translated into the use of
Unix-domain sockets in a private directory.
.PP
There are many programs which use TCP/IP for their own internal
communications needs, largely unnecessarily.  This can present security
problems: even if a program binds its listening sockets to
.BR localhost ,
other users on the same system can still connect, and many such programs
don't seem to have authentication systems.
.PP
.B noip
addresses this problem by intercepting a program's networking calls and
making it use Unix-domain sockets in a private directory instead of
TCP/IP.  Now its communications are truly private to the running user.
.SS The socket directory
The
.B noip
program keeps its sockets in a directory whose name can be configured,
but by default is
.BI noip- \c
.IR username ,
where
.I username
is determined by the
.B USER
or
.B LOGNAME
environment variables, or is
.BI uid- \c
.IR realuid 
in the temporary directory, which in turn is determined by the
.B TMPDIR
or
.B TMP
environment variables, or is
.BR /tmp .
The sockets in this directory are simply named
.IB dottedquad : port
after the Internet sockets they represent.
.PP
If the socket directory does not exist when a program running under
.B noip
starts up, it is created and made readable and writable only by the
current user.  Also, it is scanned and any apparently stale sockets are
removed.
.SS Configuration
The operation of
.B noip
is controlled by a configuration file.  By default,
.B noip
reads configuration from
.B .noip
in the calling user's home directory, as determined by the
.B HOME
environment, or, failing that, looking up the 
.I real
(not effective) user id in the password database.
.PP
The configuration file has a simple line-based format.  A line is
ignored if it consists only of whitespace, or if its first whitespace
character is
.RB ` # '.
Otherwise, the first whitespace-delimited word is a keyword and the
remainder of the line is a value.  The following keywords are
recognized.
.TP
.BR "debug " [\fInumber\fR]
If
.I number
is nonzero, turn debugging on; if it is zero, turn debugging off.  The
default, if no
.I number
is given, is to turn debugging on.  Debugging is written to standard
error.  Some debugging is produced before the configuration file is
read; the environment variable
.B NOIP_DEBUG
can be used to control this.
.TP
.BI "socketdir " directory
Store the Unix-domain sockets in
.IR directory 
rather than the default.
.TP
.BI "realbind " acl-entry
Add an entry to the
.B realbind
access control list (ACL).  When a program attempts to
.BR bind (2)
a socket to an address, the
.B realbind
ACL is consulted.  If the address is matched, then the program is
allowed to bind a real Internet socket to that address; otherwise, the
socket is bound to a Unix-domain socket.
.TP
.BI "realbind " acl-entry
Add an entry to the
.B realconnect
access control list (ACL).  When a program attempts to
.BR connect (2)
a socket to an address, or to contact another socket using
.BR sendto (2)
or 
.BR sendmsg (2),
the
.B realconnect
ACL is consulted.  If the destination address is matched, then the
program is allowed to contact the real Internet socket; otherwise, the
attempt is made to contact a Unix-domain socket.
.PP
(Aside: An attempt to connect to a remote host may not be a hopeless failure,
even if a real IP socket is denied:
.B noip
deliberately makes no attempt to check that addresses being bound to
sockets correspond to locally available addresses; and besides, sockets
can be introduced into the directory by other programs simulating remote
servers.)
.PP
An
.I acl-entry
has this format:
.IP
.BR + | \-
.IR address \c
.RB [ \- \c
.IR address | \c
.BR / \c
.IR mask ]| \c
.BR local | any
.RB [ : \c
.IR port [ \c
.BI \- \c
.IR port ]]
.PP
(The spaces in the above are optional.)
.PP
The leading sign says whether
matching addresses should be 
.I accepted
.RB (` + ')
or
.I denied
.RB (` \- ').
.PP
The IP-address portion may be any of the following
.TP
.B any
Matches all addresses.
.TP
.B local
Matches the address of one of the machine's network interfaces.
.TP
.I address
Matches just the given address
.TP
.IB address \- address
Matches any address which falls in the given range.  Addresses are
compared lexicographically, with octets to the left given precedence
over octets to the right.
.TP
.IB address / mask
Matches an address in the given network.  The
.I mask
may be a netmask in dotted-quad form, or a one-bit-count.
.PP
The port portion may be omitted (which means `match any port'), or may
be a single
.I port
or a range
.IB port \- port
to match.
.PP
Range comparisons are always inclusive of both endpoints.
.PP
ACL entries are processed in the order they appear in the configuration
file.  The default action of an ACL, used if none of its entries match,
is the opposite of the last actual entry in the list: if the last entry
says `accept', then the default is to deny, and vice-versa.  If the ACL
is empty, the default is to deny all addresses.
.PP
For example, it may be useful to allow access at least to a DNS server.
This can be accomplished by adding a line
.VS
realconnect +1.2.3.4:52
.VE
to the configuration file, where 1.2.3.4 is the IP address of one of
your DNS server. 
.SS Example applications
SLIME is an Emacs extension for doing interactive programming with Lisp
systems.  It communicates with the Lisp system using TCP sockets, since
Unix-domain sockets are unavailable on Windows, and besides, they are
less well supported by Lisp implementations.  Unfortunately, when the
author wrote this program, SLIME applied no authentication on its TCP
port, allowing any local user to take over the running Lisp.  Worse,
some Lisps are unable to bind a listening socket to a particular
address, leaving the socket potentially available to anyone on the
network.  By running Emacs under
.BR noip ,
the security hole is closed completely and no messing with
authentication secrets is needed.
.PP
SSH is an excellent tool for secure communications over hostile
networks.  In particular, its ability to forward TCP connections to a
port on one side of an SSH tunnel to the other side is very useful.
However, such a forwarded port is available to all users on the source
side of the tunnel.  Using 
.B noip
and a suitable configuration, a user can restrict access to a forwarded
port to himself or a small group.
.SH BUGS
.B noip
is implemented as an
.B LD_PRELOAD
hack.  It won't work on setuid programs.  Also, perhaps more
importantly, it can't do anything a
.I malicious
program use of networking: a program could theoretically issue sockets
system calls directly instead of using the C library calls that
.B noip
intercepts.  It is intended only as a tool for enhancing the security of
software written by well-meaning programmers who don't understand the
security aspects of writing networking code.
.PP
It's very hard to tell exactly what state a Unix-domain socket is in.
If the filesystem object isn't there, it's not active, but if it
.I is
then the socket might be in use or it might be stale.
.B noip
consults
.B /proc/net/unix
to decide whether a socket is in use, but this can fail in two ways.
Firstly, if the socket is created and renamed, the kernel doesn't
notice, and
.B noip
will think that the new name is stale.  Secondly, if the socket is
created, used, unlinked while it's still in use, and recreated, then
.B noip
will think that it's in use when in fact it's gone stale.  Don't mess
with
.BR noip 's
sockets unless you know what you're doing.
.PP
The procedure to replace a Unix-domain socket by an Internet one is
fairly thorough, but there are some missing cases.  In particular, if
the socket being bound or connected is a duplicate (using
.BR dup (2))
then only one of the copies will be fixed.  Similarly, copies owned by
child processes will be unaffected.
.PP
This manual is surprisingly long and complicated for such a simple hack.
.SH AUTHOR
Mark Wooding, <mdw@nsict.org>
Commit	Line	Data
e4976bb0	1	.de VS
	2	.sp 1
	3	.RS
	4	.nf
	5	.ft B
	6	..
	7	.de VE
	8	.ft R
	9	.fi
	10	.RE
	11	.sp 1
	12	..
	13	.TH noip 1 "5 May 2005" "Straylight/Edgeware" "Preload hacks"
	14	.SH NAME
	15	noip \- run programs without the ability to use IP sockets
	16	.SH SYNOPSIS
	17	.B noip
	18	.RI [ command
	19	.RI [ args ...]]
	20	.SH DESCRIPTION
	21	The
	22	.B noip
	23	program runs
	24	.I command
	25	(by default, the user's shell, as determined by the
	26	.B SHELL
	27	environment variable) in an environment where attempts to use TCP/IP
	28	networking are (mostly) transparently translated into the use of
	29	Unix-domain sockets in a private directory.
	30	.PP
	31	There are many programs which use TCP/IP for their own internal
	32	communications needs, largely unnecessarily. This can present security
	33	problems: even if a program binds its listening sockets to
	34	.BR localhost ,
	35	other users on the same system can still connect, and many such programs
	36	don't seem to have authentication systems.
	37	.PP
	38	.B noip
	39	addresses this problem by intercepting a program's networking calls and
	40	making it use Unix-domain sockets in a private directory instead of
	41	TCP/IP. Now its communications are truly private to the running user.
	42	.SS The socket directory
	43	The
	44	.B noip
	45	program keeps its sockets in a directory whose name can be configured,
	46	but by default is
	47	.BI noip- \c
	48	.IR username ,
	49	where
	50	.I username
	51	is determined by the
	52	.B USER
	53	or
	54	.B LOGNAME
	55	environment variables, or is
	56	.BI uid- \c
	57	.IR realuid
	58	in the temporary directory, which in turn is determined by the
	59	.B TMPDIR
	60	or
	61	.B TMP
	62	environment variables, or is
	63	.BR /tmp .
	64	The sockets in this directory are simply named
65	.IB dottedquad : port
66	after the Internet sockets they represent.
67	.PP
68	If the socket directory does not exist when a program running under
69	.B noip
70	starts up, it is created and made readable and writable only by the
71	current user. Also, it is scanned and any apparently stale sockets are
72	removed.
73	.SS Configuration
74	The operation of
75	.B noip
76	is controlled by a configuration file. By default,
77	.B noip
78	reads configuration from
79	.B .noip
80	in the calling user's home directory, as determined by the
81	.B HOME
82	environment, or, failing that, looking up the
83	.I real
84	(not effective) user id in the password database.
85	.PP
86	The configuration file has a simple line-based format. A line is
87	ignored if it consists only of whitespace, or if its first whitespace
88	character is
89	.RB ` # '.
90	Otherwise, the first whitespace-delimited word is a keyword and the
91	remainder of the line is a value. The following keywords are
92	recognized.
93	.TP
94	.BR "debug " [\fInumber\fR]
95	If
96	.I number
97	is nonzero, turn debugging on; if it is zero, turn debugging off. The
98	default, if no
99	.I number
100	is given, is to turn debugging on. Debugging is written to standard
101	error. Some debugging is produced before the configuration file is
102	read; the environment variable
103	.B NOIP_DEBUG
104	can be used to control this.
105	.TP
106	.BI "socketdir " directory
107	Store the Unix-domain sockets in
108	.IR directory
109	rather than the default.
110	.TP
111	.BI "realbind " acl-entry
112	Add an entry to the
113	.B realbind
114	access control list (ACL). When a program attempts to
115	.BR bind (2)
116	a socket to an address, the
117	.B realbind
118	ACL is consulted. If the address is matched, then the program is
119	allowed to bind a real Internet socket to that address; otherwise, the
120	socket is bound to a Unix-domain socket.
121	.TP
122	.BI "realbind " acl-entry
123	Add an entry to the
124	.B realconnect
125	access control list (ACL). When a program attempts to
126	.BR connect (2)
127	a socket to an address, or to contact another socket using
128	.BR sendto (2)
129	or
130	.BR sendmsg (2),
131	the
132	.B realconnect
133	ACL is consulted. If the destination address is matched, then the
134	program is allowed to contact the real Internet socket; otherwise, the
135	attempt is made to contact a Unix-domain socket.
136	.PP
137	(Aside: An attempt to connect to a remote host may not be a hopeless failure,
138	even if a real IP socket is denied:
139	.B noip
140	deliberately makes no attempt to check that addresses being bound to
141	sockets correspond to locally available addresses; and besides, sockets
142	can be introduced into the directory by other programs simulating remote
143	servers.)
144	.PP
145	An
146	.I acl-entry
147	has this format:
148	.IP
149	.BR + \| \-
150	.IR address \c
151	.RB [ \- \c
152	.IR address \| \c
153	.BR / \c
154	.IR mask ]\| \c
155	.BR local \| any
156	.RB [ : \c
157	.IR port [ \c
158	.BI \- \c
159	.IR port ]]
160	.PP
161	(The spaces in the above are optional.)
162	.PP
163	The leading sign says whether
164	matching addresses should be
165	.I accepted
166	.RB (` + ')
167	or
168	.I denied
169	.RB (` \- ').
170	.PP
171	The IP-address portion may be any of the following
172	.TP
173	.B any
174	Matches all addresses.
175	.TP
176	.B local
177	Matches the address of one of the machine's network interfaces.
178	.TP
179	.I address
180	Matches just the given address
181	.TP
182	.IB address \- address
183	Matches any address which falls in the given range. Addresses are
184	compared lexicographically, with octets to the left given precedence
185	over octets to the right.
186	.TP
187	.IB address / mask
188	Matches an address in the given network. The
189	.I mask
190	may be a netmask in dotted-quad form, or a one-bit-count.
191	.PP
192	The port portion may be omitted (which means `match any port'), or may
193	be a single
194	.I port
195	or a range
196	.IB port \- port
197	to match.
198	.PP
199	Range comparisons are always inclusive of both endpoints.
200	.PP
201	ACL entries are processed in the order they appear in the configuration
202	file. The default action of an ACL, used if none of its entries match,
203	is the opposite of the last actual entry in the list: if the last entry
204	says `accept', then the default is to deny, and vice-versa. If the ACL
205	is empty, the default is to deny all addresses.
206	.PP
207	For example, it may be useful to allow access at least to a DNS server.
208	This can be accomplished by adding a line
209	.VS
210	realconnect +1.2.3.4:52
211	.VE
212	to the configuration file, where 1.2.3.4 is the IP address of one of
213	your DNS server.
214	.SS Example applications
215	SLIME is an Emacs extension for doing interactive programming with Lisp
216	systems. It communicates with the Lisp system using TCP sockets, since
217	Unix-domain sockets are unavailable on Windows, and besides, they are
218	less well supported by Lisp implementations. Unfortunately, when the
219	author wrote this program, SLIME applied no authentication on its TCP
220	port, allowing any local user to take over the running Lisp. Worse,
221	some Lisps are unable to bind a listening socket to a particular
222	address, leaving the socket potentially available to anyone on the
223	network. By running Emacs under
224	.BR noip ,
225	the security hole is closed completely and no messing with
226	authentication secrets is needed.
227	.PP
228	SSH is an excellent tool for secure communications over hostile
229	networks. In particular, its ability to forward TCP connections to a
230	port on one side of an SSH tunnel to the other side is very useful.
231	However, such a forwarded port is available to all users on the source
232	side of the tunnel. Using
233	.B noip
234	and a suitable configuration, a user can restrict access to a forwarded
235	port to himself or a small group.
236	.SH BUGS
237	.B noip
238	is implemented as an
239	.B LD_PRELOAD
240	hack. It won't work on setuid programs. Also, perhaps more
241	importantly, it can't do anything a
242	.I malicious
243	program use of networking: a program could theoretically issue sockets
244	system calls directly instead of using the C library calls that
245	.B noip
246	intercepts. It is intended only as a tool for enhancing the security of
247	software written by well-meaning programmers who don't understand the
248	security aspects of writing networking code.
249	.PP
250	It's very hard to tell exactly what state a Unix-domain socket is in.
251	If the filesystem object isn't there, it's not active, but if it
252	.I is
253	then the socket might be in use or it might be stale.
254	.B noip
255	consults
256	.B /proc/net/unix
257	to decide whether a socket is in use, but this can fail in two ways.
258	Firstly, if the socket is created and renamed, the kernel doesn't
259	notice, and
260	.B noip
261	will think that the new name is stale. Secondly, if the socket is
262	created, used, unlinked while it's still in use, and recreated, then
263	.B noip
264	will think that it's in use when in fact it's gone stale. Don't mess
265	with
266	.BR noip 's
267	sockets unless you know what you're doing.
268	.PP
269	The procedure to replace a Unix-domain socket by an Internet one is
270	fairly thorough, but there are some missing cases. In particular, if
271	the socket being bound or connected is a duplicate (using
272	.BR dup (2))
273	then only one of the copies will be fixed. Similarly, copies owned by
274	child processes will be unaffected.
275	.PP
276	This manual is surprisingly long and complicated for such a simple hack.
277	.SH AUTHOR
278	Mark Wooding, <mdw@nsict.org>