e4976bb0 |
1 | .de VS |
2 | .sp 1 |
3 | .RS |
4 | .nf |
5 | .ft B |
6 | .. |
7 | .de VE |
8 | .ft R |
9 | .fi |
10 | .RE |
11 | .sp 1 |
12 | .. |
13 | .TH noip 1 "5 May 2005" "Straylight/Edgeware" "Preload hacks" |
14 | .SH NAME |
15 | noip \- run programs without the ability to use IP sockets |
16 | .SH SYNOPSIS |
17 | .B noip |
18 | .RI [ command |
19 | .RI [ args ...]] |
20 | .SH DESCRIPTION |
21 | The |
22 | .B noip |
23 | program runs |
24 | .I command |
25 | (by default, the user's shell, as determined by the |
26 | .B SHELL |
27 | environment variable) in an environment where attempts to use TCP/IP |
28 | networking are (mostly) transparently translated into the use of |
29 | Unix-domain sockets in a private directory. |
30 | .PP |
31 | There are many programs which use TCP/IP for their own internal |
32 | communications needs, largely unnecessarily. This can present security |
33 | problems: even if a program binds its listening sockets to |
34 | .BR localhost , |
35 | other users on the same system can still connect, and many such programs |
36 | don't seem to have authentication systems. |
37 | .PP |
38 | .B noip |
39 | addresses this problem by intercepting a program's networking calls and |
40 | making it use Unix-domain sockets in a private directory instead of |
41 | TCP/IP. Now its communications are truly private to the running user. |
42 | .SS The socket directory |
43 | The |
44 | .B noip |
45 | program keeps its sockets in a directory whose name can be configured, |
46 | but by default is |
47 | .BI noip- \c |
48 | .IR username , |
49 | where |
50 | .I username |
51 | is determined by the |
52 | .B USER |
53 | or |
54 | .B LOGNAME |
55 | environment variables, or is |
56 | .BI uid- \c |
57 | .IR realuid |
58 | in the temporary directory, which in turn is determined by the |
59 | .B TMPDIR |
60 | or |
61 | .B TMP |
62 | environment variables, or is |
63 | .BR /tmp . |
64 | The sockets in this directory are simply named |
65 | .IB dottedquad : port |
66 | after the Internet sockets they represent. |
67 | .PP |
68 | If the socket directory does not exist when a program running under |
69 | .B noip |
70 | starts up, it is created and made readable and writable only by the |
71 | current user. Also, it is scanned and any apparently stale sockets are |
72 | removed. |
73 | .SS Configuration |
74 | The operation of |
75 | .B noip |
76 | is controlled by a configuration file. By default, |
77 | .B noip |
78 | reads configuration from |
79 | .B .noip |
80 | in the calling user's home directory, as determined by the |
81 | .B HOME |
82 | environment, or, failing that, looking up the |
83 | .I real |
84 | (not effective) user id in the password database. |
85 | .PP |
86 | The configuration file has a simple line-based format. A line is |
87 | ignored if it consists only of whitespace, or if its first whitespace |
88 | character is |
89 | .RB ` # '. |
90 | Otherwise, the first whitespace-delimited word is a keyword and the |
91 | remainder of the line is a value. The following keywords are |
92 | recognized. |
93 | .TP |
94 | .BR "debug " [\fInumber\fR] |
95 | If |
96 | .I number |
97 | is nonzero, turn debugging on; if it is zero, turn debugging off. The |
98 | default, if no |
99 | .I number |
100 | is given, is to turn debugging on. Debugging is written to standard |
101 | error. Some debugging is produced before the configuration file is |
102 | read; the environment variable |
103 | .B NOIP_DEBUG |
104 | can be used to control this. |
105 | .TP |
106 | .BI "socketdir " directory |
107 | Store the Unix-domain sockets in |
108 | .IR directory |
109 | rather than the default. |
110 | .TP |
111 | .BI "realbind " acl-entry |
112 | Add an entry to the |
113 | .B realbind |
114 | access control list (ACL). When a program attempts to |
115 | .BR bind (2) |
116 | a socket to an address, the |
117 | .B realbind |
118 | ACL is consulted. If the address is matched, then the program is |
119 | allowed to bind a real Internet socket to that address; otherwise, the |
120 | socket is bound to a Unix-domain socket. |
121 | .TP |
122 | .BI "realbind " acl-entry |
123 | Add an entry to the |
124 | .B realconnect |
125 | access control list (ACL). When a program attempts to |
126 | .BR connect (2) |
127 | a socket to an address, or to contact another socket using |
128 | .BR sendto (2) |
129 | or |
130 | .BR sendmsg (2), |
131 | the |
132 | .B realconnect |
133 | ACL is consulted. If the destination address is matched, then the |
134 | program is allowed to contact the real Internet socket; otherwise, the |
135 | attempt is made to contact a Unix-domain socket. |
136 | .PP |
137 | (Aside: An attempt to connect to a remote host may not be a hopeless failure, |
138 | even if a real IP socket is denied: |
139 | .B noip |
140 | deliberately makes no attempt to check that addresses being bound to |
141 | sockets correspond to locally available addresses; and besides, sockets |
142 | can be introduced into the directory by other programs simulating remote |
143 | servers.) |
144 | .PP |
145 | An |
146 | .I acl-entry |
147 | has this format: |
148 | .IP |
149 | .BR + | \- |
150 | .IR address \c |
151 | .RB [ \- \c |
152 | .IR address | \c |
153 | .BR / \c |
154 | .IR mask ]| \c |
155 | .BR local | any |
156 | .RB [ : \c |
157 | .IR port [ \c |
158 | .BI \- \c |
159 | .IR port ]] |
160 | .PP |
161 | (The spaces in the above are optional.) |
162 | .PP |
163 | The leading sign says whether |
164 | matching addresses should be |
165 | .I accepted |
166 | .RB (` + ') |
167 | or |
168 | .I denied |
169 | .RB (` \- '). |
170 | .PP |
171 | The IP-address portion may be any of the following |
172 | .TP |
173 | .B any |
174 | Matches all addresses. |
175 | .TP |
176 | .B local |
177 | Matches the address of one of the machine's network interfaces. |
178 | .TP |
179 | .I address |
180 | Matches just the given address |
181 | .TP |
182 | .IB address \- address |
183 | Matches any address which falls in the given range. Addresses are |
184 | compared lexicographically, with octets to the left given precedence |
185 | over octets to the right. |
186 | .TP |
187 | .IB address / mask |
188 | Matches an address in the given network. The |
189 | .I mask |
190 | may be a netmask in dotted-quad form, or a one-bit-count. |
191 | .PP |
192 | The port portion may be omitted (which means `match any port'), or may |
193 | be a single |
194 | .I port |
195 | or a range |
196 | .IB port \- port |
197 | to match. |
198 | .PP |
199 | Range comparisons are always inclusive of both endpoints. |
200 | .PP |
201 | ACL entries are processed in the order they appear in the configuration |
202 | file. The default action of an ACL, used if none of its entries match, |
203 | is the opposite of the last actual entry in the list: if the last entry |
204 | says `accept', then the default is to deny, and vice-versa. If the ACL |
205 | is empty, the default is to deny all addresses. |
206 | .PP |
207 | For example, it may be useful to allow access at least to a DNS server. |
208 | This can be accomplished by adding a line |
209 | .VS |
210 | realconnect +1.2.3.4:52 |
211 | .VE |
212 | to the configuration file, where 1.2.3.4 is the IP address of one of |
213 | your DNS server. |
214 | .SS Example applications |
215 | SLIME is an Emacs extension for doing interactive programming with Lisp |
216 | systems. It communicates with the Lisp system using TCP sockets, since |
217 | Unix-domain sockets are unavailable on Windows, and besides, they are |
218 | less well supported by Lisp implementations. Unfortunately, when the |
219 | author wrote this program, SLIME applied no authentication on its TCP |
220 | port, allowing any local user to take over the running Lisp. Worse, |
221 | some Lisps are unable to bind a listening socket to a particular |
222 | address, leaving the socket potentially available to anyone on the |
223 | network. By running Emacs under |
224 | .BR noip , |
225 | the security hole is closed completely and no messing with |
226 | authentication secrets is needed. |
227 | .PP |
228 | SSH is an excellent tool for secure communications over hostile |
229 | networks. In particular, its ability to forward TCP connections to a |
230 | port on one side of an SSH tunnel to the other side is very useful. |
231 | However, such a forwarded port is available to all users on the source |
232 | side of the tunnel. Using |
233 | .B noip |
234 | and a suitable configuration, a user can restrict access to a forwarded |
235 | port to himself or a small group. |
236 | .SH BUGS |
237 | .B noip |
238 | is implemented as an |
239 | .B LD_PRELOAD |
240 | hack. It won't work on setuid programs. Also, perhaps more |
241 | importantly, it can't do anything a |
242 | .I malicious |
243 | program use of networking: a program could theoretically issue sockets |
244 | system calls directly instead of using the C library calls that |
245 | .B noip |
246 | intercepts. It is intended only as a tool for enhancing the security of |
247 | software written by well-meaning programmers who don't understand the |
248 | security aspects of writing networking code. |
249 | .PP |
250 | It's very hard to tell exactly what state a Unix-domain socket is in. |
251 | If the filesystem object isn't there, it's not active, but if it |
252 | .I is |
253 | then the socket might be in use or it might be stale. |
254 | .B noip |
255 | consults |
256 | .B /proc/net/unix |
257 | to decide whether a socket is in use, but this can fail in two ways. |
258 | Firstly, if the socket is created and renamed, the kernel doesn't |
259 | notice, and |
260 | .B noip |
261 | will think that the new name is stale. Secondly, if the socket is |
262 | created, used, unlinked while it's still in use, and recreated, then |
263 | .B noip |
264 | will think that it's in use when in fact it's gone stale. Don't mess |
265 | with |
266 | .BR noip 's |
267 | sockets unless you know what you're doing. |
268 | .PP |
269 | The procedure to replace a Unix-domain socket by an Internet one is |
270 | fairly thorough, but there are some missing cases. In particular, if |
271 | the socket being bound or connected is a duplicate (using |
272 | .BR dup (2)) |
273 | then only one of the copies will be fixed. Similarly, copies owned by |
274 | child processes will be unaffected. |
275 | .PP |
276 | This manual is surprisingly long and complicated for such a simple hack. |
277 | .SH AUTHOR |
278 | Mark Wooding, <mdw@nsict.org> |