[preload-hacks] / noip.1

.de VS
.sp 1
.RS
.nf
.ft B
..
.de VE
.ft R
.fi
.RE
.sp 1
..
.TH noip 1 "5 May 2005" "Straylight/Edgeware" "Preload hacks"
.SH NAME
noip \- run programs without the ability to use IP sockets
.SH SYNOPSIS
.B noip
.RI [ command
.RI [ args ...]]
.SH DESCRIPTION
The
.B noip
program runs
.I command
(by default, the user's shell, as determined by the
.B SHELL
environment variable) in an environment where attempts to use TCP/IP
networking are (mostly) transparently translated into the use of
Unix-domain sockets in a private directory.
.PP
There are many programs which use TCP/IP for their own internal
communications needs, largely unnecessarily.  This can present security
problems: even if a program binds its listening sockets to
.BR localhost ,
other users on the same system can still connect, and many such programs
don't seem to have authentication systems.
.PP
.B noip
addresses this problem by intercepting a program's networking calls and
making it use Unix-domain sockets in a private directory instead of
TCP/IP.  Now its communications are truly private to the running user.
.SS The socket directory
The
.B noip
program keeps its sockets in a directory whose name can be configured,
but by default is
.BI noip- \c
.IR username ,
where
.I username
is determined by the
.B USER
or
.B LOGNAME
environment variables, or is
.BI uid- \c
.IR realuid 
in the temporary directory, which in turn is determined by the
.B TMPDIR
or
.B TMP
environment variables, or is
.BR /tmp .
The sockets in this directory are simply named
.IB dottedquad : port
after the Internet sockets they represent.
.PP
If the socket directory does not exist when a program running under
.B noip
starts up, it is created and made readable and writable only by the
current user.  Also, it is scanned and any apparently stale sockets are
removed.
.SS Configuration
The operation of
.B noip
is controlled by a configuration file.  By default,
.B noip
reads configuration from
.B .noip
in the calling user's home directory, as determined by the
.B HOME
environment, or, failing that, looking up the effective user id in the
password database.  However, if the environment variable
.B NOIP_CONFIG
is set, then the file it names is read instead (assuming it exists; if
it doesn't, no configuration is read).
.PP
The configuration file has a simple line-based format.  A line is
ignored if it consists only of whitespace, or if its first
non-whitespace character is
.RB ` # '.
Otherwise, the first whitespace-delimited word is a keyword and the
remainder of the line is a value.  The following keywords are
recognized.
.TP
.BR "debug " [\fInumber\fR]
If
.I number
is nonzero, turn debugging on; if it is zero, turn debugging off.  The
default, if no
.I number
is given, is to turn debugging on.  Debugging is written to standard
error.  Some debugging is produced before the configuration file is
read; the environment variable
.B NOIP_DEBUG
can be used to control this.
.TP
.BI "socketdir " directory
Store the Unix-domain sockets in
.IR directory 
rather than the default.  The environment variable
.B NOIP_SOCKETDIR
can also be used to control which directory is used for sockets.
.TP
.BI "autoports " min "\-" max
Select which ports are used for implicit binding.  Allocating ports can
be a bit slow, since checking whether a Unix domain socket is in use is
difficult.  A wide range makes things easier, because
.B noip
starts by trying ports at random from the given range.  The environment
variable
.B NOIP_AUTOPORTS
can also be used to control which ports are assigned automatically.
.TP
.BI "realbind " acl-entry
Add a comma-separated list of entries to the
.B realbind
access control list (ACL).  (See below for the format of an ACL entry.)
When a program attempts to
.BR bind (2)
a socket to an address, the
.B realbind
ACL is consulted.  If the address is matched, then the program is
allowed to bind a real Internet socket to that address; otherwise, the
socket is bound to a Unix-domain socket.  Three environment variables
are consulted too:
.BR NOIP_REALBIND_BEFORE ,
.BR NOIP_REALBIND ,
and
.BR NOIP_REALBIND_AFTER .
The
.B _BEFORE
rules are inserted at the front of the list; the
.B _AFTER
rules are appended on the end.  Currently, the rules in
.B NOIP_REALBIND
are also put at the end (before the
.B _AFTER
rules), though this may change later.
.TP
.BI "realconnect " acl-entry
Add a comma-separated list of entries to the
.B realconnect
access control list (ACL).  (See below for the format of an ACL entry.)
When a program attempts to
.BR connect (2)
a socket to an address, or to contact another socket using
.BR sendto (2)
or 
.BR sendmsg (2),
the
.B realconnect
ACL is consulted.  If the destination address is matched, then the
program is allowed to contact the real Internet socket; otherwise, the
attempt is made to contact a Unix-domain socket.  Three environment variables
are consulted too:
.BR NOIP_REALCONNET_BEFORE ,
.BR NOIP_REALCONNECT ,
and
.BR NOIP_REALCONNECT_AFTER .
The
.B _BEFORE
rules are inserted at the front of the list; the
.B _AFTER
rules are appended on the end.  Currently, the rules in
.B NOIP_REALCONNECT
are also put at the end (before the
.B _AFTER
rules), though this may change later.
.IP
(Aside: An attempt to connect to a remote host may not be a hopeless failure,
even if a real IP socket is denied:
.B noip
deliberately makes no attempt to check that addresses being bound to
sockets correspond to locally available addresses; and besides, sockets
can be introduced into the directory by other programs simulating remote
servers.)
.TP
.BI "impbind " bind-rule
Add a comma-separated list of entries to the implicit-bind rule list.
When a program attempts to transmit from a socket \(en e.g., with
.BR connect (2),
.BR sendto (2), or
.BR sendmsg (2)
\(en without binding its local address first,
.B noip
consults this list to decide on the correct local address to assign.
Each entry in the list has the form
.RS
.IP
.I address-range
.IR address | \c
.B same
.PP
The rules are tried in order: if the remote address matches (in the same
way as in an ACL entry) the address range on the left side of the rule,
then the socket is bound to the address from the right side; if the
address on the right is
.B same
then the remote address is used.
.PP
Three environment variables
are consulted too:
.BR NOIP_IMPBIND_BEFORE ,
.BR NOIP_IMPBIND ,
and
.BR NOIP_IMPBIND_AFTER .
The
.B _BEFORE
rules are inserted at the front of the list; the
.B _AFTER
rules are appended on the end.  Currently, the rules in
.B NOIP_IMPBIND
are also put at the end (before the
.B _AFTER
rules), though this may change later.
.RE
.PP
An
.I acl-entry
is a comma-separated list of entries of the form:
.IP
.BR + | \-
.I address-range
.RB [ : \c
.IR port-range ]
.PP
(The spaces in the above are optional.)
.PP
The leading sign says whether matching addresses should be
.I accepted
.RB (` + ')
or
.I denied
.RB (` \- ').
.PP
The
.I address-range
portion may be any of the following.
.TP
.B any
Matches all addresses.
.TP
.B local
Matches the address of one of the machine's network interfaces.
.TP
.I address
Matches just the given IPv4 or IPv6 address.  An
.I address
may be enclosed in square brackets; IPv6 addresses must be so enclosed,
because colons are significant in the rest of the ACL syntax.
.TP
.IB address \- address
Matches any address which falls in the given range.  Addresses are
compared lexicographically, with octets to the left given precedence
over octets to the right.
.TP
.IB address / prefix-length
Matches an address in the given network.
.PP
The
.I port-range
may be omitted (which means `match any port'), or may be a single
.I port
or a range
.IB port \- port
to match.
.PP
Range comparisons are always inclusive of both endpoints.
.PP
ACL entries are processed in the order they appear in the configuration
file.  The default action of an ACL, used if none of its entries match,
is the opposite of the last actual entry in the list: if the last entry
says `accept', then the default is to deny, and vice-versa.  If the ACL
is empty, the default is to deny all addresses.
.PP
For example, it may be useful to allow access at least to a DNS server.
This can be accomplished by adding a line
.VS
realconnect +1.2.3.4:53
.VE
to the configuration file, where 1.2.3.4 is the IP address of one of
your DNS server. 
.SS Example applications
SLIME is an Emacs extension for doing interactive programming with Lisp
systems.  It communicates with the Lisp system using TCP sockets, since
Unix-domain sockets are unavailable on Windows, and besides, they are
less well supported by Lisp implementations.  Unfortunately, when the
author wrote this program, SLIME applied no authentication on its TCP
port, allowing any local user to take over the running Lisp.  Worse,
some Lisps are unable to bind a listening socket to a particular
address, leaving the socket potentially available to anyone on the
network.  By running Emacs under
.BR noip ,
the security hole is closed completely and no messing with
authentication secrets is needed.
.PP
SSH is an excellent tool for secure communications over hostile
networks.  In particular, its ability to forward TCP connections to a
port on one side of an SSH tunnel to the other side is very useful.
However, such a forwarded port is available to all users on the source
side of the tunnel.  Using 
.B noip
and a suitable configuration, a user can restrict access to a forwarded
port to himself or a small group.
.SH BUGS
.B noip
is implemented as an
.B LD_PRELOAD
hack.  It won't work on setuid programs.  Also, perhaps more
importantly, it can't do anything to prevent a
.I malicious
program's use of networking: a program could theoretically issue sockets
system calls directly instead of using the C library calls that
.B noip
intercepts.  It is intended only as a tool for enhancing the security of
software written by well-meaning programmers who don't understand the
security aspects of writing networking code.
.PP
It's very hard to tell exactly what state a Unix-domain socket is in.
If the filesystem object isn't there, it's not active, but if it
.I is
then the socket might be in use or it might be stale.
.B noip
consults
.B /proc/net/unix
to decide whether a socket is in use, but this can fail in two ways.
Firstly, if the socket is created and renamed, the kernel doesn't
notice, and
.B noip
will think that the new name is stale.  Secondly, if the socket is
created, used, unlinked while it's still in use, and recreated, then
.B noip
will think that it's in use when in fact it's gone stale.  Don't mess
with
.BR noip 's
sockets unless you know what you're doing.
.PP
The procedure to replace a Unix-domain socket by an Internet one is
fairly thorough, but there are some missing cases.  In particular, if
the socket being bound or connected is a duplicate (using
.BR dup (2))
then only one of the copies will be fixed.  Similarly, copies owned by
child processes will be unaffected.
.PP
This manual is surprisingly long and complicated for such a simple hack.
.SH AUTHOR
Mark Wooding, <mdw@distorted.org.uk>
Commit	Line	Data
e4976bb0	1	.de VS
	2	.sp 1
	3	.RS
	4	.nf
	5	.ft B
	6	..
	7	.de VE
	8	.ft R
	9	.fi
	10	.RE
	11	.sp 1
	12	..
	13	.TH noip 1 "5 May 2005" "Straylight/Edgeware" "Preload hacks"
	14	.SH NAME
	15	noip \- run programs without the ability to use IP sockets
	16	.SH SYNOPSIS
	17	.B noip
	18	.RI [ command
	19	.RI [ args ...]]
	20	.SH DESCRIPTION
	21	The
	22	.B noip
	23	program runs
	24	.I command
	25	(by default, the user's shell, as determined by the
	26	.B SHELL
	27	environment variable) in an environment where attempts to use TCP/IP
	28	networking are (mostly) transparently translated into the use of
	29	Unix-domain sockets in a private directory.
	30	.PP
	31	There are many programs which use TCP/IP for their own internal
	32	communications needs, largely unnecessarily. This can present security
	33	problems: even if a program binds its listening sockets to
	34	.BR localhost ,
	35	other users on the same system can still connect, and many such programs
	36	don't seem to have authentication systems.
	37	.PP
	38	.B noip
	39	addresses this problem by intercepting a program's networking calls and
	40	making it use Unix-domain sockets in a private directory instead of
	41	TCP/IP. Now its communications are truly private to the running user.
	42	.SS The socket directory
	43	The
	44	.B noip
	45	program keeps its sockets in a directory whose name can be configured,
	46	but by default is
	47	.BI noip- \c
	48	.IR username ,
	49	where
	50	.I username
	51	is determined by the
	52	.B USER
	53	or
	54	.B LOGNAME
	55	environment variables, or is
	56	.BI uid- \c
	57	.IR realuid
	58	in the temporary directory, which in turn is determined by the
	59	.B TMPDIR
	60	or
	61	.B TMP
	62	environment variables, or is
	63	.BR /tmp .
	64	The sockets in this directory are simply named
65	.IB dottedquad : port
66	after the Internet sockets they represent.
67	.PP
68	If the socket directory does not exist when a program running under
69	.B noip
70	starts up, it is created and made readable and writable only by the
71	current user. Also, it is scanned and any apparently stale sockets are
72	removed.
73	.SS Configuration
74	The operation of
75	.B noip
76	is controlled by a configuration file. By default,
77	.B noip
78	reads configuration from
79	.B .noip
80	in the calling user's home directory, as determined by the
81	.B HOME
5b49f527	82	environment, or, failing that, looking up the effective user id in the
5b49f527	83	password database. However, if the environment variable
a6d9626b	84	.B NOIP_CONFIG
	85	is set, then the file it names is read instead (assuming it exists; if
	86	it doesn't, no configuration is read).
e4976bb0	87	.PP
e4976bb0	88	The configuration file has a simple line-based format. A line is
673935dd MW	89	ignored if it consists only of whitespace, or if its first
673935dd MW	90	non-whitespace character is
e4976bb0	91	.RB ` # '.
	92	Otherwise, the first whitespace-delimited word is a keyword and the
	93	remainder of the line is a value. The following keywords are
	94	recognized.
	95	.TP
	96	.BR "debug " [\fInumber\fR]
	97	If
	98	.I number
	99	is nonzero, turn debugging on; if it is zero, turn debugging off. The
	100	default, if no
	101	.I number
	102	is given, is to turn debugging on. Debugging is written to standard
	103	error. Some debugging is produced before the configuration file is
	104	read; the environment variable
	105	.B NOIP_DEBUG
	106	can be used to control this.
	107	.TP
	108	.BI "socketdir " directory
	109	Store the Unix-domain sockets in
	110	.IR directory
a6d9626b	111	rather than the default. The environment variable
	112	.B NOIP_SOCKETDIR
	113	can also be used to control which directory is used for sockets.
e4976bb0	114	.TP
f6049fdd	115	.BI "autoports " min "\-" max
	116	Select which ports are used for implicit binding. Allocating ports can
	117	be a bit slow, since checking whether a Unix domain socket is in use is
	118	difficult. A wide range makes things easier, because
	119	.B noip
	120	starts by trying ports at random from the given range. The environment
	121	variable
	122	.B NOIP_AUTOPORTS
	123	can also be used to control which ports are assigned automatically.
	124	.TP
e4976bb0	125	.BI "realbind " acl-entry
7071520e	126	Add a comma-separated list of entries to the
e4976bb0	127	.B realbind
7071520e MW	128	access control list (ACL). (See below for the format of an ACL entry.)
7071520e MW	129	When a program attempts to
e4976bb0	130	.BR bind (2)
	131	a socket to an address, the
	132	.B realbind
	133	ACL is consulted. If the address is matched, then the program is
	134	allowed to bind a real Internet socket to that address; otherwise, the
a6d9626b	135	socket is bound to a Unix-domain socket. Three environment variables
	136	are consulted too:
	137	.BR NOIP_REALBIND_BEFORE ,
	138	.BR NOIP_REALBIND ,
	139	and
	140	.BR NOIP_REALBIND_AFTER .
	141	The
	142	.B _BEFORE
	143	rules are inserted at the front of the list; the
	144	.B _AFTER
	145	rules are appended on the end. Currently, the rules in
	146	.B NOIP_REALBIND
	147	are also put at the end (before the
	148	.B _AFTER
	149	rules), though this may change later.
e4976bb0	150	.TP
a6d9626b	151	.BI "realconnect " acl-entry
7071520e	152	Add a comma-separated list of entries to the
e4976bb0	153	.B realconnect
7071520e MW	154	access control list (ACL). (See below for the format of an ACL entry.)
7071520e MW	155	When a program attempts to
e4976bb0	156	.BR connect (2)
	157	a socket to an address, or to contact another socket using
	158	.BR sendto (2)
	159	or
	160	.BR sendmsg (2),
	161	the
	162	.B realconnect
	163	ACL is consulted. If the destination address is matched, then the
	164	program is allowed to contact the real Internet socket; otherwise, the
a6d9626b	165	attempt is made to contact a Unix-domain socket. Three environment variables
	166	are consulted too:
	167	.BR NOIP_REALCONNET_BEFORE ,
	168	.BR NOIP_REALCONNECT ,
	169	and
	170	.BR NOIP_REALCONNECT_AFTER .
	171	The
	172	.B _BEFORE
	173	rules are inserted at the front of the list; the
	174	.B _AFTER
	175	rules are appended on the end. Currently, the rules in
	176	.B NOIP_REALCONNECT
	177	are also put at the end (before the
	178	.B _AFTER
	179	rules), though this may change later.
2f2b91d9 MW	180	.IP
	181	(Aside: An attempt to connect to a remote host may not be a hopeless failure,
	182	even if a real IP socket is denied:
	183	.B noip
	184	deliberately makes no attempt to check that addresses being bound to
	185	sockets correspond to locally available addresses; and besides, sockets
	186	can be introduced into the directory by other programs simulating remote
	187	servers.)
7be80f86 MW	188	.TP
7be80f86 MW	189	.BI "impbind " bind-rule
7071520e MW	190	Add a comma-separated list of entries to the implicit-bind rule list.
	191	When a program attempts to transmit from a socket \(en e.g., with
	192	.BR connect (2),
	193	.BR sendto (2), or
	194	.BR sendmsg (2)
	195	\(en without binding its local address first,
7be80f86 MW	196	.B noip
	197	consults this list to decide on the correct local address to assign.
	198	Each entry in the list has the form
	199	.RS
	200	.IP
	201	.I address-range
	202	.IR address \| \c
	203	.B same
	204	.PP
	205	The rules are tried in order: if the remote address matches (in the same
	206	way as in an ACL entry) the address range on the left side of the rule,
	207	then the socket is bound to the address from the right side; if the
	208	address on the right is
	209	.B same
	210	then the remote address is used.
	211	.PP
	212	Three environment variables
	213	are consulted too:
	214	.BR NOIP_IMPBIND_BEFORE ,
	215	.BR NOIP_IMPBIND ,
	216	and
	217	.BR NOIP_IMPBIND_AFTER .
	218	The
	219	.B _BEFORE
	220	rules are inserted at the front of the list; the
	221	.B _AFTER
	222	rules are appended on the end. Currently, the rules in
	223	.B NOIP_IMPBIND
	224	are also put at the end (before the
	225	.B _AFTER
	226	rules), though this may change later.
	227	.RE
e4976bb0	228	.PP
e4976bb0	229	An
e4976bb0	230	.I acl-entry
a6d9626b	231	is a comma-separated list of entries of the form:
e4976bb0	232	.IP
e4976bb0	233	.BR + \| \-
0a6ab6a1	234	.I address-range
e4976bb0	235	.RB [ : \c
0a6ab6a1	236	.IR port-range ]
e4976bb0	237	.PP
	238	(The spaces in the above are optional.)
	239	.PP
99222954	240	The leading sign says whether matching addresses should be
e4976bb0	241	.I accepted
	242	.RB (` + ')
	243	or
	244	.I denied
	245	.RB (` \- ').
	246	.PP
0a6ab6a1 MW	247	The
	248	.I address-range
	249	portion may be any of the following.
e4976bb0	250	.TP
	251	.B any
	252	Matches all addresses.
	253	.TP
	254	.B local
	255	Matches the address of one of the machine's network interfaces.
	256	.TP
	257	.I address
2a06ea0b	258	Matches just the given IPv4 or IPv6 address. An
9314b85a	259	.I address
2a06ea0b MW	260	may be enclosed in square brackets; IPv6 addresses must be so enclosed,
2a06ea0b MW	261	because colons are significant in the rest of the ACL syntax.
e4976bb0	262	.TP
	263	.IB address \- address
	264	Matches any address which falls in the given range. Addresses are
	265	compared lexicographically, with octets to the left given precedence
	266	over octets to the right.
	267	.TP
9314b85a MW	268	.IB address / prefix-length
9314b85a MW	269	Matches an address in the given network.
e4976bb0	270	.PP
0a6ab6a1 MW	271	The
	272	.I port-range
	273	may be omitted (which means `match any port'), or may be a single
e4976bb0	274	.I port
	275	or a range
	276	.IB port \- port
	277	to match.
	278	.PP
	279	Range comparisons are always inclusive of both endpoints.
	280	.PP
	281	ACL entries are processed in the order they appear in the configuration
	282	file. The default action of an ACL, used if none of its entries match,
	283	is the opposite of the last actual entry in the list: if the last entry
	284	says `accept', then the default is to deny, and vice-versa. If the ACL
	285	is empty, the default is to deny all addresses.
	286	.PP
	287	For example, it may be useful to allow access at least to a DNS server.
	288	This can be accomplished by adding a line
	289	.VS
a8be0591	290	realconnect +1.2.3.4:53
e4976bb0	291	.VE
	292	to the configuration file, where 1.2.3.4 is the IP address of one of
	293	your DNS server.
	294	.SS Example applications
	295	SLIME is an Emacs extension for doing interactive programming with Lisp
	296	systems. It communicates with the Lisp system using TCP sockets, since
	297	Unix-domain sockets are unavailable on Windows, and besides, they are
	298	less well supported by Lisp implementations. Unfortunately, when the
	299	author wrote this program, SLIME applied no authentication on its TCP
	300	port, allowing any local user to take over the running Lisp. Worse,
	301	some Lisps are unable to bind a listening socket to a particular
	302	address, leaving the socket potentially available to anyone on the
	303	network. By running Emacs under
	304	.BR noip ,
	305	the security hole is closed completely and no messing with
	306	authentication secrets is needed.
	307	.PP
	308	SSH is an excellent tool for secure communications over hostile
	309	networks. In particular, its ability to forward TCP connections to a
	310	port on one side of an SSH tunnel to the other side is very useful.
	311	However, such a forwarded port is available to all users on the source
	312	side of the tunnel. Using
	313	.B noip
	314	and a suitable configuration, a user can restrict access to a forwarded
	315	port to himself or a small group.
	316	.SH BUGS
	317	.B noip
	318	is implemented as an
	319	.B LD_PRELOAD
	320	hack. It won't work on setuid programs. Also, perhaps more
a8be0591	321	importantly, it can't do anything to prevent a
e4976bb0	322	.I malicious
a8be0591	323	program's use of networking: a program could theoretically issue sockets
e4976bb0	324	system calls directly instead of using the C library calls that
	325	.B noip
	326	intercepts. It is intended only as a tool for enhancing the security of
	327	software written by well-meaning programmers who don't understand the
	328	security aspects of writing networking code.
	329	.PP
	330	It's very hard to tell exactly what state a Unix-domain socket is in.
	331	If the filesystem object isn't there, it's not active, but if it
	332	.I is
	333	then the socket might be in use or it might be stale.
	334	.B noip
	335	consults
	336	.B /proc/net/unix
	337	to decide whether a socket is in use, but this can fail in two ways.
	338	Firstly, if the socket is created and renamed, the kernel doesn't
	339	notice, and
	340	.B noip
	341	will think that the new name is stale. Secondly, if the socket is
	342	created, used, unlinked while it's still in use, and recreated, then
	343	.B noip
	344	will think that it's in use when in fact it's gone stale. Don't mess
	345	with
	346	.BR noip 's
	347	sockets unless you know what you're doing.
	348	.PP
	349	The procedure to replace a Unix-domain socket by an Internet one is
	350	fairly thorough, but there are some missing cases. In particular, if
	351	the socket being bound or connected is a duplicate (using
	352	.BR dup (2))
	353	then only one of the copies will be fixed. Similarly, copies owned by
	354	child processes will be unaffected.
	355	.PP
	356	This manual is surprisingly long and complicated for such a simple hack.
	357	.SH AUTHOR
a8be0591	358	Mark Wooding, <mdw@distorted.org.uk>