13 .TH noip 1 "5 May 2005" "Straylight/Edgeware" "Preload hacks"
15 noip \- run programs without the ability to use IP sockets
25 (by default, the user's shell, as determined by the
27 environment variable) in an environment where attempts to use TCP/IP
28 networking are (mostly) transparently translated into the use of
29 Unix-domain sockets in a private directory.
31 There are many programs which use TCP/IP for their own internal
32 communications needs, largely unnecessarily. This can present security
33 problems: even if a program binds its listening sockets to
35 other users on the same system can still connect, and many such programs
36 don't seem to have authentication systems.
39 addresses this problem by intercepting a program's networking calls and
40 making it use Unix-domain sockets in a private directory instead of
41 TCP/IP. Now its communications are truly private to the running user.
42 .SS The socket directory
45 program keeps its sockets in a directory whose name can be configured,
55 environment variables, or is
58 in the temporary directory, which in turn is determined by the
62 environment variables, or is
64 The sockets in this directory are simply named
66 after the Internet sockets they represent.
68 If the socket directory does not exist when a program running under
70 starts up, it is created and made readable and writable only by the
71 current user. Also, it is scanned and any apparently stale sockets are
76 is controlled by a configuration file. By default,
78 reads configuration from
80 in the calling user's home directory, as determined by the
82 environment, or, failing that, looking up the
84 (not effective) user id in the password database. However, if the
87 is set, then the file it names is read instead (assuming it exists; if
88 it doesn't, no configuration is read).
90 The configuration file has a simple line-based format. A line is
91 ignored if it consists only of whitespace, or if its first whitespace
94 Otherwise, the first whitespace-delimited word is a keyword and the
95 remainder of the line is a value. The following keywords are
98 .BR "debug " [\fInumber\fR]
101 is nonzero, turn debugging on; if it is zero, turn debugging off. The
104 is given, is to turn debugging on. Debugging is written to standard
105 error. Some debugging is produced before the configuration file is
106 read; the environment variable
108 can be used to control this.
110 .BI "socketdir " directory
111 Store the Unix-domain sockets in
113 rather than the default. The environment variable
115 can also be used to control which directory is used for sockets.
117 .BI "realbind " acl-entry
120 access control list (ACL). When a program attempts to
122 a socket to an address, the
124 ACL is consulted. If the address is matched, then the program is
125 allowed to bind a real Internet socket to that address; otherwise, the
126 socket is bound to a Unix-domain socket. Three environment variables
128 .BR NOIP_REALBIND_BEFORE ,
131 .BR NOIP_REALBIND_AFTER .
134 rules are inserted at the front of the list; the
136 rules are appended on the end. Currently, the rules in
138 are also put at the end (before the
140 rules), though this may change later.
142 .BI "realconnect " acl-entry
145 access control list (ACL). When a program attempts to
147 a socket to an address, or to contact another socket using
153 ACL is consulted. If the destination address is matched, then the
154 program is allowed to contact the real Internet socket; otherwise, the
155 attempt is made to contact a Unix-domain socket. Three environment variables
157 .BR NOIP_REALCONNET_BEFORE ,
158 .BR NOIP_REALCONNECT ,
160 .BR NOIP_REALCONNECT_AFTER .
163 rules are inserted at the front of the list; the
165 rules are appended on the end. Currently, the rules in
167 are also put at the end (before the
169 rules), though this may change later.
171 (Aside: An attempt to connect to a remote host may not be a hopeless failure,
172 even if a real IP socket is denied:
174 deliberately makes no attempt to check that addresses being bound to
175 sockets correspond to locally available addresses; and besides, sockets
176 can be introduced into the directory by other programs simulating remote
181 is a comma-separated list of entries of the form:
195 (The spaces in the above are optional.)
197 The leading sign says whether
198 matching addresses should be
205 The IP-address portion may be any of the following
208 Matches all addresses.
211 Matches the address of one of the machine's network interfaces.
214 Matches just the given address
216 .IB address \- address
217 Matches any address which falls in the given range. Addresses are
218 compared lexicographically, with octets to the left given precedence
219 over octets to the right.
222 Matches an address in the given network. The
224 may be a netmask in dotted-quad form, or a one-bit-count.
226 The port portion may be omitted (which means `match any port'), or may
233 Range comparisons are always inclusive of both endpoints.
235 ACL entries are processed in the order they appear in the configuration
236 file. The default action of an ACL, used if none of its entries match,
237 is the opposite of the last actual entry in the list: if the last entry
238 says `accept', then the default is to deny, and vice-versa. If the ACL
239 is empty, the default is to deny all addresses.
241 For example, it may be useful to allow access at least to a DNS server.
242 This can be accomplished by adding a line
244 realconnect +1.2.3.4:52
246 to the configuration file, where 1.2.3.4 is the IP address of one of
248 .SS Example applications
249 SLIME is an Emacs extension for doing interactive programming with Lisp
250 systems. It communicates with the Lisp system using TCP sockets, since
251 Unix-domain sockets are unavailable on Windows, and besides, they are
252 less well supported by Lisp implementations. Unfortunately, when the
253 author wrote this program, SLIME applied no authentication on its TCP
254 port, allowing any local user to take over the running Lisp. Worse,
255 some Lisps are unable to bind a listening socket to a particular
256 address, leaving the socket potentially available to anyone on the
257 network. By running Emacs under
259 the security hole is closed completely and no messing with
260 authentication secrets is needed.
262 SSH is an excellent tool for secure communications over hostile
263 networks. In particular, its ability to forward TCP connections to a
264 port on one side of an SSH tunnel to the other side is very useful.
265 However, such a forwarded port is available to all users on the source
266 side of the tunnel. Using
268 and a suitable configuration, a user can restrict access to a forwarded
269 port to himself or a small group.
274 hack. It won't work on setuid programs. Also, perhaps more
275 importantly, it can't do anything a
277 program use of networking: a program could theoretically issue sockets
278 system calls directly instead of using the C library calls that
280 intercepts. It is intended only as a tool for enhancing the security of
281 software written by well-meaning programmers who don't understand the
282 security aspects of writing networking code.
284 It's very hard to tell exactly what state a Unix-domain socket is in.
285 If the filesystem object isn't there, it's not active, but if it
287 then the socket might be in use or it might be stale.
291 to decide whether a socket is in use, but this can fail in two ways.
292 Firstly, if the socket is created and renamed, the kernel doesn't
295 will think that the new name is stale. Secondly, if the socket is
296 created, used, unlinked while it's still in use, and recreated, then
298 will think that it's in use when in fact it's gone stale. Don't mess
301 sockets unless you know what you're doing.
303 The procedure to replace a Unix-domain socket by an Internet one is
304 fairly thorough, but there are some missing cases. In particular, if
305 the socket being bound or connected is a duplicate (using
307 then only one of the copies will be fixed. Similarly, copies owned by
308 child processes will be unaffected.
310 This manual is surprisingly long and complicated for such a simple hack.
312 Mark Wooding, <mdw@nsict.org>