[preload-hacks] / noip.1

.de VS
.sp 1
.RS
.nf
.ft B
..
.de VE
.ft R
.fi
.RE
.sp 1
..
.TH noip 1 "5 May 2005" "Straylight/Edgeware" "Preload hacks"
.SH NAME
noip \- run programs without the ability to use IP sockets
.SH SYNOPSIS
.B noip
.RI [ command
.RI [ args ...]]
.SH DESCRIPTION
The
.B noip
program runs
.I command
(by default, the user's shell, as determined by the
.B SHELL
environment variable) in an environment where attempts to use TCP/IP
networking are (mostly) transparently translated into the use of
Unix-domain sockets in a private directory.
.PP
There are many programs which use TCP/IP for their own internal
communications needs, largely unnecessarily.  This can present security
problems: even if a program binds its listening sockets to
.BR localhost ,
other users on the same system can still connect, and many such programs
don't seem to have authentication systems.
.PP
.B noip
addresses this problem by intercepting a program's networking calls and
making it use Unix-domain sockets in a private directory instead of
TCP/IP.  Now its communications are truly private to the running user.
.SS The socket directory
The
.B noip
program keeps its sockets in a directory whose name can be configured,
but by default is
.BI noip- \c
.IR username ,
where
.I username
is determined by the
.B USER
or
.B LOGNAME
environment variables, or is
.BI uid- \c
.IR realuid 
in the temporary directory, which in turn is determined by the
.B TMPDIR
or
.B TMP
environment variables, or is
.BR /tmp .
The sockets in this directory are simply named
.IB dottedquad : port
after the Internet sockets they represent.
.PP
If the socket directory does not exist when a program running under
.B noip
starts up, it is created and made readable and writable only by the
current user.  Also, it is scanned and any apparently stale sockets are
removed.
.SS Configuration
The operation of
.B noip
is controlled by a configuration file.  By default,
.B noip
reads configuration from
.B .noip
in the calling user's home directory, as determined by the
.B HOME
environment, or, failing that, looking up the effective user id in the
password database.  However, if the environment variable
.B NOIP_CONFIG
is set, then the file it names is read instead (assuming it exists; if
it doesn't, no configuration is read).
.PP
The configuration file has a simple line-based format.  A line is
ignored if it consists only of whitespace, or if its first whitespace
character is
.RB ` # '.
Otherwise, the first whitespace-delimited word is a keyword and the
remainder of the line is a value.  The following keywords are
recognized.
.TP
.BR "debug " [\fInumber\fR]
If
.I number
is nonzero, turn debugging on; if it is zero, turn debugging off.  The
default, if no
.I number
is given, is to turn debugging on.  Debugging is written to standard
error.  Some debugging is produced before the configuration file is
read; the environment variable
.B NOIP_DEBUG
can be used to control this.
.TP
.BI "socketdir " directory
Store the Unix-domain sockets in
.IR directory 
rather than the default.  The environment variable
.B NOIP_SOCKETDIR
can also be used to control which directory is used for sockets.
.TP
.BI "autoports " min "\-" max
Select which ports are used for implicit binding.  Allocating ports can
be a bit slow, since checking whether a Unix domain socket is in use is
difficult.  A wide range makes things easier, because
.B noip
starts by trying ports at random from the given range.  The environment
variable
.B NOIP_AUTOPORTS
can also be used to control which ports are assigned automatically.
.TP
.BI "realbind " acl-entry
Add an entry to the
.B realbind
access control list (ACL).  When a program attempts to
.BR bind (2)
a socket to an address, the
.B realbind
ACL is consulted.  If the address is matched, then the program is
allowed to bind a real Internet socket to that address; otherwise, the
socket is bound to a Unix-domain socket.  Three environment variables
are consulted too:
.BR NOIP_REALBIND_BEFORE ,
.BR NOIP_REALBIND ,
and
.BR NOIP_REALBIND_AFTER .
The
.B _BEFORE
rules are inserted at the front of the list; the
.B _AFTER
rules are appended on the end.  Currently, the rules in
.B NOIP_REALBIND
are also put at the end (before the
.B _AFTER
rules), though this may change later.
.TP
.BI "realconnect " acl-entry
Add an entry to the
.B realconnect
access control list (ACL).  When a program attempts to
.BR connect (2)
a socket to an address, or to contact another socket using
.BR sendto (2)
or 
.BR sendmsg (2),
the
.B realconnect
ACL is consulted.  If the destination address is matched, then the
program is allowed to contact the real Internet socket; otherwise, the
attempt is made to contact a Unix-domain socket.  Three environment variables
are consulted too:
.BR NOIP_REALCONNET_BEFORE ,
.BR NOIP_REALCONNECT ,
and
.BR NOIP_REALCONNECT_AFTER .
The
.B _BEFORE
rules are inserted at the front of the list; the
.B _AFTER
rules are appended on the end.  Currently, the rules in
.B NOIP_REALCONNECT
are also put at the end (before the
.B _AFTER
rules), though this may change later.
.TP
.BI "impbind " bind-rule
Add an entry to the implicit-bind rule list.  When a program attempts to
.BR connect (2)
a socket without binding its local address first,
.B noip
consults this list to decide on the correct local address to assign.
Each entry in the list has the form
.RS
.IP
.I address-range
.IR address | \c
.B same
.PP
The rules are tried in order: if the remote address matches (in the same
way as in an ACL entry) the address range on the left side of the rule,
then the socket is bound to the address from the right side; if the
address on the right is
.B same
then the remote address is used.
.PP
Three environment variables
are consulted too:
.BR NOIP_IMPBIND_BEFORE ,
.BR NOIP_IMPBIND ,
and
.BR NOIP_IMPBIND_AFTER .
The
.B _BEFORE
rules are inserted at the front of the list; the
.B _AFTER
rules are appended on the end.  Currently, the rules in
.B NOIP_IMPBIND
are also put at the end (before the
.B _AFTER
rules), though this may change later.
.RE
.PP
(Aside: An attempt to connect to a remote host may not be a hopeless failure,
even if a real IP socket is denied:
.B noip
deliberately makes no attempt to check that addresses being bound to
sockets correspond to locally available addresses; and besides, sockets
can be introduced into the directory by other programs simulating remote
servers.)
.PP
An
.I acl-entry
is a comma-separated list of entries of the form:
.IP
.BR + | \-
.I address-range
.RB [ : \c
.IR port-range ]
.PP
(The spaces in the above are optional.)
.PP
The leading sign says whether matching addresses should be
.I accepted
.RB (` + ')
or
.I denied
.RB (` \- ').
.PP
The
.I address-range
portion may be any of the following.
.TP
.B any
Matches all addresses.
.TP
.B local
Matches the address of one of the machine's network interfaces.
.TP
.I address
Matches just the given IPv4 or IPv6 address.  An
.I address
may be enclosed in square brackets; IPv6 addresses must be so enclosed,
because colons are significant in the rest of the ACL syntax.
.TP
.IB address \- address
Matches any address which falls in the given range.  Addresses are
compared lexicographically, with octets to the left given precedence
over octets to the right.
.TP
.IB address / prefix-length
Matches an address in the given network.
.PP
The
.I port-range
may be omitted (which means `match any port'), or may be a single
.I port
or a range
.IB port \- port
to match.
.PP
Range comparisons are always inclusive of both endpoints.
.PP
ACL entries are processed in the order they appear in the configuration
file.  The default action of an ACL, used if none of its entries match,
is the opposite of the last actual entry in the list: if the last entry
says `accept', then the default is to deny, and vice-versa.  If the ACL
is empty, the default is to deny all addresses.
.PP
For example, it may be useful to allow access at least to a DNS server.
This can be accomplished by adding a line
.VS
realconnect +1.2.3.4:53
.VE
to the configuration file, where 1.2.3.4 is the IP address of one of
your DNS server. 
.SS Example applications
SLIME is an Emacs extension for doing interactive programming with Lisp
systems.  It communicates with the Lisp system using TCP sockets, since
Unix-domain sockets are unavailable on Windows, and besides, they are
less well supported by Lisp implementations.  Unfortunately, when the
author wrote this program, SLIME applied no authentication on its TCP
port, allowing any local user to take over the running Lisp.  Worse,
some Lisps are unable to bind a listening socket to a particular
address, leaving the socket potentially available to anyone on the
network.  By running Emacs under
.BR noip ,
the security hole is closed completely and no messing with
authentication secrets is needed.
.PP
SSH is an excellent tool for secure communications over hostile
networks.  In particular, its ability to forward TCP connections to a
port on one side of an SSH tunnel to the other side is very useful.
However, such a forwarded port is available to all users on the source
side of the tunnel.  Using 
.B noip
and a suitable configuration, a user can restrict access to a forwarded
port to himself or a small group.
.SH BUGS
.B noip
is implemented as an
.B LD_PRELOAD
hack.  It won't work on setuid programs.  Also, perhaps more
importantly, it can't do anything to prevent a
.I malicious
program's use of networking: a program could theoretically issue sockets
system calls directly instead of using the C library calls that
.B noip
intercepts.  It is intended only as a tool for enhancing the security of
software written by well-meaning programmers who don't understand the
security aspects of writing networking code.
.PP
It's very hard to tell exactly what state a Unix-domain socket is in.
If the filesystem object isn't there, it's not active, but if it
.I is
then the socket might be in use or it might be stale.
.B noip
consults
.B /proc/net/unix
to decide whether a socket is in use, but this can fail in two ways.
Firstly, if the socket is created and renamed, the kernel doesn't
notice, and
.B noip
will think that the new name is stale.  Secondly, if the socket is
created, used, unlinked while it's still in use, and recreated, then
.B noip
will think that it's in use when in fact it's gone stale.  Don't mess
with
.BR noip 's
sockets unless you know what you're doing.
.PP
The procedure to replace a Unix-domain socket by an Internet one is
fairly thorough, but there are some missing cases.  In particular, if
the socket being bound or connected is a duplicate (using
.BR dup (2))
then only one of the copies will be fixed.  Similarly, copies owned by
child processes will be unaffected.
.PP
This manual is surprisingly long and complicated for such a simple hack.
.SH AUTHOR
Mark Wooding, <mdw@distorted.org.uk>
Commit	Line	Data
e4976bb0	1	.de VS
	2	.sp 1
	3	.RS
	4	.nf
	5	.ft B
	6	..
	7	.de VE
	8	.ft R
	9	.fi
	10	.RE
	11	.sp 1
	12	..
	13	.TH noip 1 "5 May 2005" "Straylight/Edgeware" "Preload hacks"
	14	.SH NAME
	15	noip \- run programs without the ability to use IP sockets
	16	.SH SYNOPSIS
	17	.B noip
	18	.RI [ command
	19	.RI [ args ...]]
	20	.SH DESCRIPTION
	21	The
	22	.B noip
	23	program runs
	24	.I command
	25	(by default, the user's shell, as determined by the
	26	.B SHELL
	27	environment variable) in an environment where attempts to use TCP/IP
	28	networking are (mostly) transparently translated into the use of
	29	Unix-domain sockets in a private directory.
	30	.PP
	31	There are many programs which use TCP/IP for their own internal
	32	communications needs, largely unnecessarily. This can present security
	33	problems: even if a program binds its listening sockets to
	34	.BR localhost ,
	35	other users on the same system can still connect, and many such programs
	36	don't seem to have authentication systems.
	37	.PP
	38	.B noip
	39	addresses this problem by intercepting a program's networking calls and
	40	making it use Unix-domain sockets in a private directory instead of
	41	TCP/IP. Now its communications are truly private to the running user.
	42	.SS The socket directory
	43	The
	44	.B noip
	45	program keeps its sockets in a directory whose name can be configured,
	46	but by default is
	47	.BI noip- \c
	48	.IR username ,
	49	where
	50	.I username
	51	is determined by the
	52	.B USER
	53	or
	54	.B LOGNAME
	55	environment variables, or is
	56	.BI uid- \c
	57	.IR realuid
	58	in the temporary directory, which in turn is determined by the
	59	.B TMPDIR
	60	or
	61	.B TMP
	62	environment variables, or is
	63	.BR /tmp .
	64	The sockets in this directory are simply named
65	.IB dottedquad : port
66	after the Internet sockets they represent.
67	.PP
68	If the socket directory does not exist when a program running under
69	.B noip
70	starts up, it is created and made readable and writable only by the
71	current user. Also, it is scanned and any apparently stale sockets are
72	removed.
73	.SS Configuration
74	The operation of
75	.B noip
76	is controlled by a configuration file. By default,
77	.B noip
78	reads configuration from
79	.B .noip
80	in the calling user's home directory, as determined by the
81	.B HOME
5b49f527	82	environment, or, failing that, looking up the effective user id in the
5b49f527	83	password database. However, if the environment variable
a6d9626b	84	.B NOIP_CONFIG
	85	is set, then the file it names is read instead (assuming it exists; if
	86	it doesn't, no configuration is read).
e4976bb0	87	.PP
	88	The configuration file has a simple line-based format. A line is
	89	ignored if it consists only of whitespace, or if its first whitespace
	90	character is
	91	.RB ` # '.
	92	Otherwise, the first whitespace-delimited word is a keyword and the
	93	remainder of the line is a value. The following keywords are
	94	recognized.
	95	.TP
	96	.BR "debug " [\fInumber\fR]
	97	If
	98	.I number
	99	is nonzero, turn debugging on; if it is zero, turn debugging off. The
	100	default, if no
	101	.I number
	102	is given, is to turn debugging on. Debugging is written to standard
	103	error. Some debugging is produced before the configuration file is
	104	read; the environment variable
	105	.B NOIP_DEBUG
	106	can be used to control this.
	107	.TP
	108	.BI "socketdir " directory
	109	Store the Unix-domain sockets in
	110	.IR directory
a6d9626b	111	rather than the default. The environment variable
	112	.B NOIP_SOCKETDIR
	113	can also be used to control which directory is used for sockets.
e4976bb0	114	.TP
f6049fdd	115	.BI "autoports " min "\-" max
	116	Select which ports are used for implicit binding. Allocating ports can
	117	be a bit slow, since checking whether a Unix domain socket is in use is
	118	difficult. A wide range makes things easier, because
	119	.B noip
	120	starts by trying ports at random from the given range. The environment
	121	variable
	122	.B NOIP_AUTOPORTS
	123	can also be used to control which ports are assigned automatically.
	124	.TP
e4976bb0	125	.BI "realbind " acl-entry
	126	Add an entry to the
	127	.B realbind
	128	access control list (ACL). When a program attempts to
	129	.BR bind (2)
	130	a socket to an address, the
	131	.B realbind
	132	ACL is consulted. If the address is matched, then the program is
	133	allowed to bind a real Internet socket to that address; otherwise, the
a6d9626b	134	socket is bound to a Unix-domain socket. Three environment variables
	135	are consulted too:
	136	.BR NOIP_REALBIND_BEFORE ,
	137	.BR NOIP_REALBIND ,
	138	and
	139	.BR NOIP_REALBIND_AFTER .
	140	The
	141	.B _BEFORE
	142	rules are inserted at the front of the list; the
	143	.B _AFTER
	144	rules are appended on the end. Currently, the rules in
	145	.B NOIP_REALBIND
	146	are also put at the end (before the
	147	.B _AFTER
	148	rules), though this may change later.
e4976bb0	149	.TP
a6d9626b	150	.BI "realconnect " acl-entry
e4976bb0	151	Add an entry to the
	152	.B realconnect
	153	access control list (ACL). When a program attempts to
	154	.BR connect (2)
	155	a socket to an address, or to contact another socket using
	156	.BR sendto (2)
	157	or
	158	.BR sendmsg (2),
	159	the
	160	.B realconnect
	161	ACL is consulted. If the destination address is matched, then the
	162	program is allowed to contact the real Internet socket; otherwise, the
a6d9626b	163	attempt is made to contact a Unix-domain socket. Three environment variables
	164	are consulted too:
	165	.BR NOIP_REALCONNET_BEFORE ,
	166	.BR NOIP_REALCONNECT ,
	167	and
	168	.BR NOIP_REALCONNECT_AFTER .
	169	The
	170	.B _BEFORE
	171	rules are inserted at the front of the list; the
	172	.B _AFTER
	173	rules are appended on the end. Currently, the rules in
	174	.B NOIP_REALCONNECT
	175	are also put at the end (before the
	176	.B _AFTER
	177	rules), though this may change later.
7be80f86 MW	178	.TP
	179	.BI "impbind " bind-rule
	180	Add an entry to the implicit-bind rule list. When a program attempts to
	181	.BR connect (2)
	182	a socket without binding its local address first,
	183	.B noip
	184	consults this list to decide on the correct local address to assign.
	185	Each entry in the list has the form
	186	.RS
	187	.IP
	188	.I address-range
	189	.IR address \| \c
	190	.B same
	191	.PP
	192	The rules are tried in order: if the remote address matches (in the same
	193	way as in an ACL entry) the address range on the left side of the rule,
	194	then the socket is bound to the address from the right side; if the
	195	address on the right is
	196	.B same
	197	then the remote address is used.
	198	.PP
	199	Three environment variables
	200	are consulted too:
	201	.BR NOIP_IMPBIND_BEFORE ,
	202	.BR NOIP_IMPBIND ,
	203	and
	204	.BR NOIP_IMPBIND_AFTER .
	205	The
	206	.B _BEFORE
	207	rules are inserted at the front of the list; the
	208	.B _AFTER
	209	rules are appended on the end. Currently, the rules in
	210	.B NOIP_IMPBIND
	211	are also put at the end (before the
	212	.B _AFTER
	213	rules), though this may change later.
	214	.RE
e4976bb0	215	.PP
	216	(Aside: An attempt to connect to a remote host may not be a hopeless failure,
	217	even if a real IP socket is denied:
	218	.B noip
	219	deliberately makes no attempt to check that addresses being bound to
	220	sockets correspond to locally available addresses; and besides, sockets
	221	can be introduced into the directory by other programs simulating remote
	222	servers.)
	223	.PP
	224	An
	225	.I acl-entry
a6d9626b	226	is a comma-separated list of entries of the form:
e4976bb0	227	.IP
e4976bb0	228	.BR + \| \-
0a6ab6a1	229	.I address-range
e4976bb0	230	.RB [ : \c
0a6ab6a1	231	.IR port-range ]
e4976bb0	232	.PP
	233	(The spaces in the above are optional.)
	234	.PP
99222954	235	The leading sign says whether matching addresses should be
e4976bb0	236	.I accepted
	237	.RB (` + ')
	238	or
	239	.I denied
	240	.RB (` \- ').
	241	.PP
0a6ab6a1 MW	242	The
	243	.I address-range
	244	portion may be any of the following.
e4976bb0	245	.TP
	246	.B any
	247	Matches all addresses.
	248	.TP
	249	.B local
	250	Matches the address of one of the machine's network interfaces.
	251	.TP
	252	.I address
2a06ea0b	253	Matches just the given IPv4 or IPv6 address. An
9314b85a	254	.I address
2a06ea0b MW	255	may be enclosed in square brackets; IPv6 addresses must be so enclosed,
2a06ea0b MW	256	because colons are significant in the rest of the ACL syntax.
e4976bb0	257	.TP
	258	.IB address \- address
	259	Matches any address which falls in the given range. Addresses are
	260	compared lexicographically, with octets to the left given precedence
	261	over octets to the right.
	262	.TP
9314b85a MW	263	.IB address / prefix-length
9314b85a MW	264	Matches an address in the given network.
e4976bb0	265	.PP
0a6ab6a1 MW	266	The
	267	.I port-range
	268	may be omitted (which means `match any port'), or may be a single
e4976bb0	269	.I port
	270	or a range
	271	.IB port \- port
	272	to match.
	273	.PP
	274	Range comparisons are always inclusive of both endpoints.
	275	.PP
	276	ACL entries are processed in the order they appear in the configuration
	277	file. The default action of an ACL, used if none of its entries match,
	278	is the opposite of the last actual entry in the list: if the last entry
	279	says `accept', then the default is to deny, and vice-versa. If the ACL
	280	is empty, the default is to deny all addresses.
	281	.PP
	282	For example, it may be useful to allow access at least to a DNS server.
	283	This can be accomplished by adding a line
	284	.VS
a8be0591	285	realconnect +1.2.3.4:53
e4976bb0	286	.VE
	287	to the configuration file, where 1.2.3.4 is the IP address of one of
	288	your DNS server.
	289	.SS Example applications
	290	SLIME is an Emacs extension for doing interactive programming with Lisp
	291	systems. It communicates with the Lisp system using TCP sockets, since
	292	Unix-domain sockets are unavailable on Windows, and besides, they are
	293	less well supported by Lisp implementations. Unfortunately, when the
	294	author wrote this program, SLIME applied no authentication on its TCP
	295	port, allowing any local user to take over the running Lisp. Worse,
	296	some Lisps are unable to bind a listening socket to a particular
	297	address, leaving the socket potentially available to anyone on the
	298	network. By running Emacs under
	299	.BR noip ,
	300	the security hole is closed completely and no messing with
	301	authentication secrets is needed.
	302	.PP
	303	SSH is an excellent tool for secure communications over hostile
	304	networks. In particular, its ability to forward TCP connections to a
	305	port on one side of an SSH tunnel to the other side is very useful.
	306	However, such a forwarded port is available to all users on the source
	307	side of the tunnel. Using
	308	.B noip
	309	and a suitable configuration, a user can restrict access to a forwarded
	310	port to himself or a small group.
	311	.SH BUGS
	312	.B noip
	313	is implemented as an
	314	.B LD_PRELOAD
	315	hack. It won't work on setuid programs. Also, perhaps more
a8be0591	316	importantly, it can't do anything to prevent a
e4976bb0	317	.I malicious
a8be0591	318	program's use of networking: a program could theoretically issue sockets
e4976bb0	319	system calls directly instead of using the C library calls that
	320	.B noip
	321	intercepts. It is intended only as a tool for enhancing the security of
	322	software written by well-meaning programmers who don't understand the
	323	security aspects of writing networking code.
	324	.PP
	325	It's very hard to tell exactly what state a Unix-domain socket is in.
	326	If the filesystem object isn't there, it's not active, but if it
	327	.I is
	328	then the socket might be in use or it might be stale.
	329	.B noip
	330	consults
	331	.B /proc/net/unix
	332	to decide whether a socket is in use, but this can fail in two ways.
	333	Firstly, if the socket is created and renamed, the kernel doesn't
	334	notice, and
	335	.B noip
	336	will think that the new name is stale. Secondly, if the socket is
	337	created, used, unlinked while it's still in use, and recreated, then
	338	.B noip
	339	will think that it's in use when in fact it's gone stale. Don't mess
	340	with
	341	.BR noip 's
	342	sockets unless you know what you're doing.
	343	.PP
	344	The procedure to replace a Unix-domain socket by an Internet one is
	345	fairly thorough, but there are some missing cases. In particular, if
	346	the socket being bound or connected is a duplicate (using
	347	.BR dup (2))
	348	then only one of the copies will be fixed. Similarly, copies owned by
	349	child processes will be unaffected.
	350	.PP
	351	This manual is surprisingly long and complicated for such a simple hack.
	352	.SH AUTHOR
a8be0591	353	Mark Wooding, <mdw@distorted.org.uk>