[preload-hacks] / noip.1

.de VS
.sp 1
.RS
.nf
.ft B
..
.de VE
.ft R
.fi
.RE
.sp 1
..
.TH noip 1 "5 May 2005" "Straylight/Edgeware" "Preload hacks"
.SH NAME
noip \- run programs without the ability to use IP sockets
.SH SYNOPSIS
.B noip
.RI [ command
.RI [ args ...]]
.SH DESCRIPTION
The
.B noip
program runs
.I command
(by default, the user's shell, as determined by the
.B SHELL
environment variable) in an environment where attempts to use TCP/IP
networking are (mostly) transparently translated into the use of
Unix-domain sockets in a private directory.
.PP
There are many programs which use TCP/IP for their own internal
communications needs, largely unnecessarily.  This can present security
problems: even if a program binds its listening sockets to
.BR localhost ,
other users on the same system can still connect, and many such programs
don't seem to have authentication systems.
.PP
.B noip
addresses this problem by intercepting a program's networking calls and
making it use Unix-domain sockets in a private directory instead of
TCP/IP.  Now its communications are truly private to the running user.
.SS The socket directory
The
.B noip
program keeps its sockets in a directory whose name can be configured,
but by default is
.BI noip- \c
.IR username ,
where
.I username
is determined by the
.B USER
or
.B LOGNAME
environment variables, or is
.BI uid- \c
.IR realuid 
in the temporary directory, which in turn is determined by the
.B TMPDIR
or
.B TMP
environment variables, or is
.BR /tmp .
The sockets in this directory are simply named
.IB dottedquad : port
after the Internet sockets they represent.
.PP
If the socket directory does not exist when a program running under
.B noip
starts up, it is created and made readable and writable only by the
current user.  Also, it is scanned and any apparently stale sockets are
removed.
.SS Configuration
The operation of
.B noip
is controlled by a configuration file.  By default,
.B noip
reads configuration from
.B .noip
in the calling user's home directory, as determined by the
.B HOME
environment, or, failing that, looking up the 
.I real
(not effective) user id in the password database.  However, if the
environment variable
.B NOIP_CONFIG
is set, then the file it names is read instead (assuming it exists; if
it doesn't, no configuration is read).
.PP
The configuration file has a simple line-based format.  A line is
ignored if it consists only of whitespace, or if its first whitespace
character is
.RB ` # '.
Otherwise, the first whitespace-delimited word is a keyword and the
remainder of the line is a value.  The following keywords are
recognized.
.TP
.BR "debug " [\fInumber\fR]
If
.I number
is nonzero, turn debugging on; if it is zero, turn debugging off.  The
default, if no
.I number
is given, is to turn debugging on.  Debugging is written to standard
error.  Some debugging is produced before the configuration file is
read; the environment variable
.B NOIP_DEBUG
can be used to control this.
.TP
.BI "socketdir " directory
Store the Unix-domain sockets in
.IR directory 
rather than the default.  The environment variable
.B NOIP_SOCKETDIR
can also be used to control which directory is used for sockets.
.TP
.BI "realbind " acl-entry
Add an entry to the
.B realbind
access control list (ACL).  When a program attempts to
.BR bind (2)
a socket to an address, the
.B realbind
ACL is consulted.  If the address is matched, then the program is
allowed to bind a real Internet socket to that address; otherwise, the
socket is bound to a Unix-domain socket.  Three environment variables
are consulted too:
.BR NOIP_REALBIND_BEFORE ,
.BR NOIP_REALBIND ,
and
.BR NOIP_REALBIND_AFTER .
The
.B _BEFORE
rules are inserted at the front of the list; the
.B _AFTER
rules are appended on the end.  Currently, the rules in
.B NOIP_REALBIND
are also put at the end (before the
.B _AFTER
rules), though this may change later.
.TP
.BI "realconnect " acl-entry
Add an entry to the
.B realconnect
access control list (ACL).  When a program attempts to
.BR connect (2)
a socket to an address, or to contact another socket using
.BR sendto (2)
or 
.BR sendmsg (2),
the
.B realconnect
ACL is consulted.  If the destination address is matched, then the
program is allowed to contact the real Internet socket; otherwise, the
attempt is made to contact a Unix-domain socket.  Three environment variables
are consulted too:
.BR NOIP_REALCONNET_BEFORE ,
.BR NOIP_REALCONNECT ,
and
.BR NOIP_REALCONNECT_AFTER .
The
.B _BEFORE
rules are inserted at the front of the list; the
.B _AFTER
rules are appended on the end.  Currently, the rules in
.B NOIP_REALCONNECT
are also put at the end (before the
.B _AFTER
rules), though this may change later.
.PP
(Aside: An attempt to connect to a remote host may not be a hopeless failure,
even if a real IP socket is denied:
.B noip
deliberately makes no attempt to check that addresses being bound to
sockets correspond to locally available addresses; and besides, sockets
can be introduced into the directory by other programs simulating remote
servers.)
.PP
An
.I acl-entry
is a comma-separated list of entries of the form:
.IP
.BR + | \-
.IR address \c
.RB [ \- \c
.IR address | \c
.BR / \c
.IR mask ]| \c
.BR local | any
.RB [ : \c
.IR port [ \c
.BI \- \c
.IR port ]]
.PP
(The spaces in the above are optional.)
.PP
The leading sign says whether
matching addresses should be 
.I accepted
.RB (` + ')
or
.I denied
.RB (` \- ').
.PP
The IP-address portion may be any of the following
.TP
.B any
Matches all addresses.
.TP
.B local
Matches the address of one of the machine's network interfaces.
.TP
.I address
Matches just the given address
.TP
.IB address \- address
Matches any address which falls in the given range.  Addresses are
compared lexicographically, with octets to the left given precedence
over octets to the right.
.TP
.IB address / mask
Matches an address in the given network.  The
.I mask
may be a netmask in dotted-quad form, or a one-bit-count.
.PP
The port portion may be omitted (which means `match any port'), or may
be a single
.I port
or a range
.IB port \- port
to match.
.PP
Range comparisons are always inclusive of both endpoints.
.PP
ACL entries are processed in the order they appear in the configuration
file.  The default action of an ACL, used if none of its entries match,
is the opposite of the last actual entry in the list: if the last entry
says `accept', then the default is to deny, and vice-versa.  If the ACL
is empty, the default is to deny all addresses.
.PP
For example, it may be useful to allow access at least to a DNS server.
This can be accomplished by adding a line
.VS
realconnect +1.2.3.4:52
.VE
to the configuration file, where 1.2.3.4 is the IP address of one of
your DNS server. 
.SS Example applications
SLIME is an Emacs extension for doing interactive programming with Lisp
systems.  It communicates with the Lisp system using TCP sockets, since
Unix-domain sockets are unavailable on Windows, and besides, they are
less well supported by Lisp implementations.  Unfortunately, when the
author wrote this program, SLIME applied no authentication on its TCP
port, allowing any local user to take over the running Lisp.  Worse,
some Lisps are unable to bind a listening socket to a particular
address, leaving the socket potentially available to anyone on the
network.  By running Emacs under
.BR noip ,
the security hole is closed completely and no messing with
authentication secrets is needed.
.PP
SSH is an excellent tool for secure communications over hostile
networks.  In particular, its ability to forward TCP connections to a
port on one side of an SSH tunnel to the other side is very useful.
However, such a forwarded port is available to all users on the source
side of the tunnel.  Using 
.B noip
and a suitable configuration, a user can restrict access to a forwarded
port to himself or a small group.
.SH BUGS
.B noip
is implemented as an
.B LD_PRELOAD
hack.  It won't work on setuid programs.  Also, perhaps more
importantly, it can't do anything a
.I malicious
program use of networking: a program could theoretically issue sockets
system calls directly instead of using the C library calls that
.B noip
intercepts.  It is intended only as a tool for enhancing the security of
software written by well-meaning programmers who don't understand the
security aspects of writing networking code.
.PP
It's very hard to tell exactly what state a Unix-domain socket is in.
If the filesystem object isn't there, it's not active, but if it
.I is
then the socket might be in use or it might be stale.
.B noip
consults
.B /proc/net/unix
to decide whether a socket is in use, but this can fail in two ways.
Firstly, if the socket is created and renamed, the kernel doesn't
notice, and
.B noip
will think that the new name is stale.  Secondly, if the socket is
created, used, unlinked while it's still in use, and recreated, then
.B noip
will think that it's in use when in fact it's gone stale.  Don't mess
with
.BR noip 's
sockets unless you know what you're doing.
.PP
The procedure to replace a Unix-domain socket by an Internet one is
fairly thorough, but there are some missing cases.  In particular, if
the socket being bound or connected is a duplicate (using
.BR dup (2))
then only one of the copies will be fixed.  Similarly, copies owned by
child processes will be unaffected.
.PP
This manual is surprisingly long and complicated for such a simple hack.
.SH AUTHOR
Mark Wooding, <mdw@nsict.org>
Commit	Line	Data
e4976bb0	1	.de VS
	2	.sp 1
	3	.RS
	4	.nf
	5	.ft B
	6	..
	7	.de VE
	8	.ft R
	9	.fi
	10	.RE
	11	.sp 1
	12	..
	13	.TH noip 1 "5 May 2005" "Straylight/Edgeware" "Preload hacks"
	14	.SH NAME
	15	noip \- run programs without the ability to use IP sockets
	16	.SH SYNOPSIS
	17	.B noip
	18	.RI [ command
	19	.RI [ args ...]]
	20	.SH DESCRIPTION
	21	The
	22	.B noip
	23	program runs
	24	.I command
	25	(by default, the user's shell, as determined by the
	26	.B SHELL
	27	environment variable) in an environment where attempts to use TCP/IP
	28	networking are (mostly) transparently translated into the use of
	29	Unix-domain sockets in a private directory.
	30	.PP
	31	There are many programs which use TCP/IP for their own internal
	32	communications needs, largely unnecessarily. This can present security
	33	problems: even if a program binds its listening sockets to
	34	.BR localhost ,
	35	other users on the same system can still connect, and many such programs
	36	don't seem to have authentication systems.
	37	.PP
	38	.B noip
	39	addresses this problem by intercepting a program's networking calls and
	40	making it use Unix-domain sockets in a private directory instead of
	41	TCP/IP. Now its communications are truly private to the running user.
	42	.SS The socket directory
	43	The
	44	.B noip
	45	program keeps its sockets in a directory whose name can be configured,
	46	but by default is
	47	.BI noip- \c
	48	.IR username ,
	49	where
	50	.I username
	51	is determined by the
	52	.B USER
	53	or
	54	.B LOGNAME
	55	environment variables, or is
	56	.BI uid- \c
	57	.IR realuid
	58	in the temporary directory, which in turn is determined by the
	59	.B TMPDIR
	60	or
	61	.B TMP
	62	environment variables, or is
	63	.BR /tmp .
	64	The sockets in this directory are simply named
65	.IB dottedquad : port
66	after the Internet sockets they represent.
67	.PP
68	If the socket directory does not exist when a program running under
69	.B noip
70	starts up, it is created and made readable and writable only by the
71	current user. Also, it is scanned and any apparently stale sockets are
72	removed.
73	.SS Configuration
74	The operation of
75	.B noip
76	is controlled by a configuration file. By default,
77	.B noip
78	reads configuration from
79	.B .noip
80	in the calling user's home directory, as determined by the
81	.B HOME
82	environment, or, failing that, looking up the
83	.I real
a6d9626b	84	(not effective) user id in the password database. However, if the
	85	environment variable
	86	.B NOIP_CONFIG
	87	is set, then the file it names is read instead (assuming it exists; if
	88	it doesn't, no configuration is read).
e4976bb0	89	.PP
	90	The configuration file has a simple line-based format. A line is
	91	ignored if it consists only of whitespace, or if its first whitespace
	92	character is
	93	.RB ` # '.
	94	Otherwise, the first whitespace-delimited word is a keyword and the
	95	remainder of the line is a value. The following keywords are
	96	recognized.
	97	.TP
	98	.BR "debug " [\fInumber\fR]
	99	If
	100	.I number
	101	is nonzero, turn debugging on; if it is zero, turn debugging off. The
	102	default, if no
	103	.I number
	104	is given, is to turn debugging on. Debugging is written to standard
	105	error. Some debugging is produced before the configuration file is
	106	read; the environment variable
	107	.B NOIP_DEBUG
	108	can be used to control this.
	109	.TP
	110	.BI "socketdir " directory
	111	Store the Unix-domain sockets in
	112	.IR directory
a6d9626b	113	rather than the default. The environment variable
	114	.B NOIP_SOCKETDIR
	115	can also be used to control which directory is used for sockets.
e4976bb0	116	.TP
	117	.BI "realbind " acl-entry
	118	Add an entry to the
	119	.B realbind
	120	access control list (ACL). When a program attempts to
	121	.BR bind (2)
	122	a socket to an address, the
	123	.B realbind
	124	ACL is consulted. If the address is matched, then the program is
	125	allowed to bind a real Internet socket to that address; otherwise, the
a6d9626b	126	socket is bound to a Unix-domain socket. Three environment variables
	127	are consulted too:
	128	.BR NOIP_REALBIND_BEFORE ,
	129	.BR NOIP_REALBIND ,
	130	and
	131	.BR NOIP_REALBIND_AFTER .
	132	The
	133	.B _BEFORE
	134	rules are inserted at the front of the list; the
	135	.B _AFTER
	136	rules are appended on the end. Currently, the rules in
	137	.B NOIP_REALBIND
	138	are also put at the end (before the
	139	.B _AFTER
	140	rules), though this may change later.
e4976bb0	141	.TP
a6d9626b	142	.BI "realconnect " acl-entry
e4976bb0	143	Add an entry to the
	144	.B realconnect
	145	access control list (ACL). When a program attempts to
	146	.BR connect (2)
	147	a socket to an address, or to contact another socket using
	148	.BR sendto (2)
	149	or
	150	.BR sendmsg (2),
	151	the
	152	.B realconnect
	153	ACL is consulted. If the destination address is matched, then the
	154	program is allowed to contact the real Internet socket; otherwise, the
a6d9626b	155	attempt is made to contact a Unix-domain socket. Three environment variables
	156	are consulted too:
	157	.BR NOIP_REALCONNET_BEFORE ,
	158	.BR NOIP_REALCONNECT ,
	159	and
	160	.BR NOIP_REALCONNECT_AFTER .
	161	The
	162	.B _BEFORE
	163	rules are inserted at the front of the list; the
	164	.B _AFTER
	165	rules are appended on the end. Currently, the rules in
	166	.B NOIP_REALCONNECT
	167	are also put at the end (before the
	168	.B _AFTER
	169	rules), though this may change later.
e4976bb0	170	.PP
	171	(Aside: An attempt to connect to a remote host may not be a hopeless failure,
	172	even if a real IP socket is denied:
	173	.B noip
	174	deliberately makes no attempt to check that addresses being bound to
	175	sockets correspond to locally available addresses; and besides, sockets
	176	can be introduced into the directory by other programs simulating remote
	177	servers.)
	178	.PP
	179	An
	180	.I acl-entry
a6d9626b	181	is a comma-separated list of entries of the form:
e4976bb0	182	.IP
	183	.BR + \| \-
	184	.IR address \c
	185	.RB [ \- \c
	186	.IR address \| \c
	187	.BR / \c
	188	.IR mask ]\| \c
	189	.BR local \| any
	190	.RB [ : \c
	191	.IR port [ \c
	192	.BI \- \c
	193	.IR port ]]
	194	.PP
	195	(The spaces in the above are optional.)
	196	.PP
	197	The leading sign says whether
	198	matching addresses should be
	199	.I accepted
	200	.RB (` + ')
	201	or
	202	.I denied
	203	.RB (` \- ').
	204	.PP
	205	The IP-address portion may be any of the following
	206	.TP
	207	.B any
	208	Matches all addresses.
	209	.TP
	210	.B local
	211	Matches the address of one of the machine's network interfaces.
	212	.TP
	213	.I address
	214	Matches just the given address
	215	.TP
	216	.IB address \- address
	217	Matches any address which falls in the given range. Addresses are
	218	compared lexicographically, with octets to the left given precedence
	219	over octets to the right.
	220	.TP
	221	.IB address / mask
	222	Matches an address in the given network. The
	223	.I mask
	224	may be a netmask in dotted-quad form, or a one-bit-count.
	225	.PP
	226	The port portion may be omitted (which means `match any port'), or may
	227	be a single
	228	.I port
	229	or a range
	230	.IB port \- port
	231	to match.
	232	.PP
	233	Range comparisons are always inclusive of both endpoints.
	234	.PP
	235	ACL entries are processed in the order they appear in the configuration
	236	file. The default action of an ACL, used if none of its entries match,
	237	is the opposite of the last actual entry in the list: if the last entry
	238	says `accept', then the default is to deny, and vice-versa. If the ACL
	239	is empty, the default is to deny all addresses.
	240	.PP
	241	For example, it may be useful to allow access at least to a DNS server.
	242	This can be accomplished by adding a line
	243	.VS
	244	realconnect +1.2.3.4:52
	245	.VE
246	to the configuration file, where 1.2.3.4 is the IP address of one of
247	your DNS server.
248	.SS Example applications
249	SLIME is an Emacs extension for doing interactive programming with Lisp
250	systems. It communicates with the Lisp system using TCP sockets, since
251	Unix-domain sockets are unavailable on Windows, and besides, they are
252	less well supported by Lisp implementations. Unfortunately, when the
253	author wrote this program, SLIME applied no authentication on its TCP
254	port, allowing any local user to take over the running Lisp. Worse,
255	some Lisps are unable to bind a listening socket to a particular
256	address, leaving the socket potentially available to anyone on the
257	network. By running Emacs under
258	.BR noip ,
259	the security hole is closed completely and no messing with
260	authentication secrets is needed.
261	.PP
262	SSH is an excellent tool for secure communications over hostile
263	networks. In particular, its ability to forward TCP connections to a
264	port on one side of an SSH tunnel to the other side is very useful.
265	However, such a forwarded port is available to all users on the source
266	side of the tunnel. Using
267	.B noip
268	and a suitable configuration, a user can restrict access to a forwarded
269	port to himself or a small group.
270	.SH BUGS
271	.B noip
272	is implemented as an
273	.B LD_PRELOAD
274	hack. It won't work on setuid programs. Also, perhaps more
275	importantly, it can't do anything a
276	.I malicious
277	program use of networking: a program could theoretically issue sockets
278	system calls directly instead of using the C library calls that
279	.B noip
280	intercepts. It is intended only as a tool for enhancing the security of
281	software written by well-meaning programmers who don't understand the
282	security aspects of writing networking code.
283	.PP
284	It's very hard to tell exactly what state a Unix-domain socket is in.
285	If the filesystem object isn't there, it's not active, but if it
286	.I is
287	then the socket might be in use or it might be stale.
288	.B noip
289	consults
290	.B /proc/net/unix
291	to decide whether a socket is in use, but this can fail in two ways.
292	Firstly, if the socket is created and renamed, the kernel doesn't
293	notice, and
294	.B noip
295	will think that the new name is stale. Secondly, if the socket is
296	created, used, unlinked while it's still in use, and recreated, then
297	.B noip
298	will think that it's in use when in fact it's gone stale. Don't mess
299	with
300	.BR noip 's
301	sockets unless you know what you're doing.
302	.PP
303	The procedure to replace a Unix-domain socket by an Internet one is
304	fairly thorough, but there are some missing cases. In particular, if
305	the socket being bound or connected is a duplicate (using
306	.BR dup (2))
307	then only one of the copies will be fixed. Similarly, copies owned by
308	child processes will be unaffected.
309	.PP
310	This manual is surprisingly long and complicated for such a simple hack.
311	.SH AUTHOR
312	Mark Wooding, <mdw@nsict.org>