--- /dev/null
+.\" -*-nroff-*-
+.\".
+.\" Manual for the server
+.\"
+.\" (c) 2008 Straylight/Edgeware
+.\"
+.
+.\"----- Licensing notice ---------------------------------------------------
+.\"
+.\" This file is part of Trivial IP Encryption (TrIPE).
+.\"
+.\" TrIPE is free software; you can redistribute it and/or modify
+.\" it under the terms of the GNU General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\"
+.\" TrIPE is distributed in the hope that it will be useful,
+.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+.\" GNU General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU General Public License
+.\" along with TrIPE; if not, write to the Free Software Foundation,
+.\" Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+.
+.\"--------------------------------------------------------------------------
+.so ../defs.man.in \" @@@PRE@@@
+.
+.\"--------------------------------------------------------------------------
+.TH tripe-privhelper 8 "28 April 2008" "Straylight/Edgeware" "TrIPE: Trivial IP Encryption"
+.
+.\"--------------------------------------------------------------------------
+.SH "NAME"
+.
+tripe-privhelper \- privilege-separation helper program
+.
+.\"--------------------------------------------------------------------------
+.SH "SYNOPSIS"
+.
+This program communicates using a binary protocol over a Unix-domain
+socket on file descriptor 0. It is not intended to be run
+interactively.
+.
+.\"--------------------------------------------------------------------------
+.SH "DESCRIPTION"
+.
+The
+.BR tripe (8)
+server usually needs superuser privileges in order to open new tunnel
+devices, through which it collects and emits network packets. In order
+to prevent the whole system needing to be run as root, the server splits
+off a child process and then drops its privileges; the child process
+runs this program.
+.PP
+The
+.B tripe-privhelper
+program reads requests for tunnel devices on file descriptor 0 and
+responds with appropriate file descriptors (using Unix-domain socket
+file descriptor passing: see
+.BR unix (7))
+for correctly configured tunnel devices.
+.
+.\"--------------------------------------------------------------------------
+.SH "BUGS"
+.
+The objective of the privilege separation model is to reduce the attack
+surface for the code running with superuser privileges down to a simple
+binary protocol. There may still be bugs in the small program which
+runs as root.
+.PP
+The `unprivileged' portion of the server still runs with the ability to
+read and write arbitrary data on tunnel devices. In particular, if
+compromised, it can inject arbitrary packets into the network. This is
+unfortunately inherent in the nature of a VPN server.
+.
+.\"--------------------------------------------------------------------------
+.SH "SEE ALSO"
+.
+.BR tripe (8).
+.PP
+.IR "The Trivial IP Encryption Protocol" ,
+.IR "The Wrestlers Protocol" .
+.
+.\"--------------------------------------------------------------------------
+.SH "AUTHOR"
+.
+Mark Wooding, <mdw@distorted.org.uk>
+.
+.\"----- That's all, folks --------------------------------------------------
~mdw / tripe / blobdiff