| 1 | .de VS |
| 2 | .sp 1 |
| 3 | .RS |
| 4 | .nf |
| 5 | .ft B |
| 6 | .. |
| 7 | .de VE |
| 8 | .ft R |
| 9 | .fi |
| 10 | .RE |
| 11 | .sp 1 |
| 12 | .. |
| 13 | .TH noip 1 "5 May 2005" "Straylight/Edgeware" "Preload hacks" |
| 14 | .SH NAME |
| 15 | noip \- run programs without the ability to use IP sockets |
| 16 | .SH SYNOPSIS |
| 17 | .B noip |
| 18 | .RI [ command |
| 19 | .RI [ args ...]] |
| 20 | .SH DESCRIPTION |
| 21 | The |
| 22 | .B noip |
| 23 | program runs |
| 24 | .I command |
| 25 | (by default, the user's shell, as determined by the |
| 26 | .B SHELL |
| 27 | environment variable) in an environment where attempts to use TCP/IP |
| 28 | networking are (mostly) transparently translated into the use of |
| 29 | Unix-domain sockets in a private directory. |
| 30 | .PP |
| 31 | There are many programs which use TCP/IP for their own internal |
| 32 | communications needs, largely unnecessarily. This can present security |
| 33 | problems: even if a program binds its listening sockets to |
| 34 | .BR localhost , |
| 35 | other users on the same system can still connect, and many such programs |
| 36 | don't seem to have authentication systems. |
| 37 | .PP |
| 38 | .B noip |
| 39 | addresses this problem by intercepting a program's networking calls and |
| 40 | making it use Unix-domain sockets in a private directory instead of |
| 41 | TCP/IP. Now its communications are truly private to the running user. |
| 42 | .SS The socket directory |
| 43 | The |
| 44 | .B noip |
| 45 | program keeps its sockets in a directory whose name can be configured, |
| 46 | but by default is |
| 47 | .BI noip- \c |
| 48 | .IR username , |
| 49 | where |
| 50 | .I username |
| 51 | is determined by the |
| 52 | .B USER |
| 53 | or |
| 54 | .B LOGNAME |
| 55 | environment variables, or is |
| 56 | .BI uid- \c |
| 57 | .IR realuid |
| 58 | in the temporary directory, which in turn is determined by the |
| 59 | .B TMPDIR |
| 60 | or |
| 61 | .B TMP |
| 62 | environment variables, or is |
| 63 | .BR /tmp . |
| 64 | The sockets in this directory are simply named |
| 65 | .IB dottedquad : port |
| 66 | after the Internet sockets they represent. |
| 67 | .PP |
| 68 | If the socket directory does not exist when a program running under |
| 69 | .B noip |
| 70 | starts up, it is created and made readable and writable only by the |
| 71 | current user. Also, it is scanned and any apparently stale sockets are |
| 72 | removed. |
| 73 | .SS Configuration |
| 74 | The operation of |
| 75 | .B noip |
| 76 | is controlled by a configuration file. By default, |
| 77 | .B noip |
| 78 | reads configuration from |
| 79 | .B .noip |
| 80 | in the calling user's home directory, as determined by the |
| 81 | .B HOME |
| 82 | environment, or, failing that, looking up the effective user id in the |
| 83 | password database. However, if the environment variable |
| 84 | .B NOIP_CONFIG |
| 85 | is set, then the file it names is read instead (assuming it exists; if |
| 86 | it doesn't, no configuration is read). |
| 87 | .PP |
| 88 | The configuration file has a simple line-based format. A line is |
| 89 | ignored if it consists only of whitespace, or if its first |
| 90 | non-whitespace character is |
| 91 | .RB ` # '. |
| 92 | Otherwise, the first whitespace-delimited word is a keyword and the |
| 93 | remainder of the line is a value. The following keywords are |
| 94 | recognized. |
| 95 | .TP |
| 96 | .BR "debug " [\fInumber\fR] |
| 97 | If |
| 98 | .I number |
| 99 | is nonzero, turn debugging on; if it is zero, turn debugging off. The |
| 100 | default, if no |
| 101 | .I number |
| 102 | is given, is to turn debugging on. Debugging is written to standard |
| 103 | error. Some debugging is produced before the configuration file is |
| 104 | read; the environment variable |
| 105 | .B NOIP_DEBUG |
| 106 | can be used to control this. |
| 107 | .TP |
| 108 | .BI "socketdir " directory |
| 109 | Store the Unix-domain sockets in |
| 110 | .IR directory |
| 111 | rather than the default. The environment variable |
| 112 | .B NOIP_SOCKETDIR |
| 113 | can also be used to control which directory is used for sockets. |
| 114 | .TP |
| 115 | .BI "autoports " min "\-" max |
| 116 | Select which ports are used for implicit binding. Allocating ports can |
| 117 | be a bit slow, since checking whether a Unix domain socket is in use is |
| 118 | difficult. A wide range makes things easier, because |
| 119 | .B noip |
| 120 | starts by trying ports at random from the given range. The environment |
| 121 | variable |
| 122 | .B NOIP_AUTOPORTS |
| 123 | can also be used to control which ports are assigned automatically. |
| 124 | .TP |
| 125 | .BI "realbind " acl-entry |
| 126 | Add an entry to the |
| 127 | .B realbind |
| 128 | access control list (ACL). When a program attempts to |
| 129 | .BR bind (2) |
| 130 | a socket to an address, the |
| 131 | .B realbind |
| 132 | ACL is consulted. If the address is matched, then the program is |
| 133 | allowed to bind a real Internet socket to that address; otherwise, the |
| 134 | socket is bound to a Unix-domain socket. Three environment variables |
| 135 | are consulted too: |
| 136 | .BR NOIP_REALBIND_BEFORE , |
| 137 | .BR NOIP_REALBIND , |
| 138 | and |
| 139 | .BR NOIP_REALBIND_AFTER . |
| 140 | The |
| 141 | .B _BEFORE |
| 142 | rules are inserted at the front of the list; the |
| 143 | .B _AFTER |
| 144 | rules are appended on the end. Currently, the rules in |
| 145 | .B NOIP_REALBIND |
| 146 | are also put at the end (before the |
| 147 | .B _AFTER |
| 148 | rules), though this may change later. |
| 149 | .TP |
| 150 | .BI "realconnect " acl-entry |
| 151 | Add an entry to the |
| 152 | .B realconnect |
| 153 | access control list (ACL). When a program attempts to |
| 154 | .BR connect (2) |
| 155 | a socket to an address, or to contact another socket using |
| 156 | .BR sendto (2) |
| 157 | or |
| 158 | .BR sendmsg (2), |
| 159 | the |
| 160 | .B realconnect |
| 161 | ACL is consulted. If the destination address is matched, then the |
| 162 | program is allowed to contact the real Internet socket; otherwise, the |
| 163 | attempt is made to contact a Unix-domain socket. Three environment variables |
| 164 | are consulted too: |
| 165 | .BR NOIP_REALCONNET_BEFORE , |
| 166 | .BR NOIP_REALCONNECT , |
| 167 | and |
| 168 | .BR NOIP_REALCONNECT_AFTER . |
| 169 | The |
| 170 | .B _BEFORE |
| 171 | rules are inserted at the front of the list; the |
| 172 | .B _AFTER |
| 173 | rules are appended on the end. Currently, the rules in |
| 174 | .B NOIP_REALCONNECT |
| 175 | are also put at the end (before the |
| 176 | .B _AFTER |
| 177 | rules), though this may change later. |
| 178 | .IP |
| 179 | (Aside: An attempt to connect to a remote host may not be a hopeless failure, |
| 180 | even if a real IP socket is denied: |
| 181 | .B noip |
| 182 | deliberately makes no attempt to check that addresses being bound to |
| 183 | sockets correspond to locally available addresses; and besides, sockets |
| 184 | can be introduced into the directory by other programs simulating remote |
| 185 | servers.) |
| 186 | .TP |
| 187 | .BI "impbind " bind-rule |
| 188 | Add an entry to the implicit-bind rule list. When a program attempts to |
| 189 | .BR connect (2) |
| 190 | a socket without binding its local address first, |
| 191 | .B noip |
| 192 | consults this list to decide on the correct local address to assign. |
| 193 | Each entry in the list has the form |
| 194 | .RS |
| 195 | .IP |
| 196 | .I address-range |
| 197 | .IR address | \c |
| 198 | .B same |
| 199 | .PP |
| 200 | The rules are tried in order: if the remote address matches (in the same |
| 201 | way as in an ACL entry) the address range on the left side of the rule, |
| 202 | then the socket is bound to the address from the right side; if the |
| 203 | address on the right is |
| 204 | .B same |
| 205 | then the remote address is used. |
| 206 | .PP |
| 207 | Three environment variables |
| 208 | are consulted too: |
| 209 | .BR NOIP_IMPBIND_BEFORE , |
| 210 | .BR NOIP_IMPBIND , |
| 211 | and |
| 212 | .BR NOIP_IMPBIND_AFTER . |
| 213 | The |
| 214 | .B _BEFORE |
| 215 | rules are inserted at the front of the list; the |
| 216 | .B _AFTER |
| 217 | rules are appended on the end. Currently, the rules in |
| 218 | .B NOIP_IMPBIND |
| 219 | are also put at the end (before the |
| 220 | .B _AFTER |
| 221 | rules), though this may change later. |
| 222 | .RE |
| 223 | .PP |
| 224 | An |
| 225 | .I acl-entry |
| 226 | is a comma-separated list of entries of the form: |
| 227 | .IP |
| 228 | .BR + | \- |
| 229 | .I address-range |
| 230 | .RB [ : \c |
| 231 | .IR port-range ] |
| 232 | .PP |
| 233 | (The spaces in the above are optional.) |
| 234 | .PP |
| 235 | The leading sign says whether matching addresses should be |
| 236 | .I accepted |
| 237 | .RB (` + ') |
| 238 | or |
| 239 | .I denied |
| 240 | .RB (` \- '). |
| 241 | .PP |
| 242 | The |
| 243 | .I address-range |
| 244 | portion may be any of the following. |
| 245 | .TP |
| 246 | .B any |
| 247 | Matches all addresses. |
| 248 | .TP |
| 249 | .B local |
| 250 | Matches the address of one of the machine's network interfaces. |
| 251 | .TP |
| 252 | .I address |
| 253 | Matches just the given IPv4 or IPv6 address. An |
| 254 | .I address |
| 255 | may be enclosed in square brackets; IPv6 addresses must be so enclosed, |
| 256 | because colons are significant in the rest of the ACL syntax. |
| 257 | .TP |
| 258 | .IB address \- address |
| 259 | Matches any address which falls in the given range. Addresses are |
| 260 | compared lexicographically, with octets to the left given precedence |
| 261 | over octets to the right. |
| 262 | .TP |
| 263 | .IB address / prefix-length |
| 264 | Matches an address in the given network. |
| 265 | .PP |
| 266 | The |
| 267 | .I port-range |
| 268 | may be omitted (which means `match any port'), or may be a single |
| 269 | .I port |
| 270 | or a range |
| 271 | .IB port \- port |
| 272 | to match. |
| 273 | .PP |
| 274 | Range comparisons are always inclusive of both endpoints. |
| 275 | .PP |
| 276 | ACL entries are processed in the order they appear in the configuration |
| 277 | file. The default action of an ACL, used if none of its entries match, |
| 278 | is the opposite of the last actual entry in the list: if the last entry |
| 279 | says `accept', then the default is to deny, and vice-versa. If the ACL |
| 280 | is empty, the default is to deny all addresses. |
| 281 | .PP |
| 282 | For example, it may be useful to allow access at least to a DNS server. |
| 283 | This can be accomplished by adding a line |
| 284 | .VS |
| 285 | realconnect +1.2.3.4:53 |
| 286 | .VE |
| 287 | to the configuration file, where 1.2.3.4 is the IP address of one of |
| 288 | your DNS server. |
| 289 | .SS Example applications |
| 290 | SLIME is an Emacs extension for doing interactive programming with Lisp |
| 291 | systems. It communicates with the Lisp system using TCP sockets, since |
| 292 | Unix-domain sockets are unavailable on Windows, and besides, they are |
| 293 | less well supported by Lisp implementations. Unfortunately, when the |
| 294 | author wrote this program, SLIME applied no authentication on its TCP |
| 295 | port, allowing any local user to take over the running Lisp. Worse, |
| 296 | some Lisps are unable to bind a listening socket to a particular |
| 297 | address, leaving the socket potentially available to anyone on the |
| 298 | network. By running Emacs under |
| 299 | .BR noip , |
| 300 | the security hole is closed completely and no messing with |
| 301 | authentication secrets is needed. |
| 302 | .PP |
| 303 | SSH is an excellent tool for secure communications over hostile |
| 304 | networks. In particular, its ability to forward TCP connections to a |
| 305 | port on one side of an SSH tunnel to the other side is very useful. |
| 306 | However, such a forwarded port is available to all users on the source |
| 307 | side of the tunnel. Using |
| 308 | .B noip |
| 309 | and a suitable configuration, a user can restrict access to a forwarded |
| 310 | port to himself or a small group. |
| 311 | .SH BUGS |
| 312 | .B noip |
| 313 | is implemented as an |
| 314 | .B LD_PRELOAD |
| 315 | hack. It won't work on setuid programs. Also, perhaps more |
| 316 | importantly, it can't do anything to prevent a |
| 317 | .I malicious |
| 318 | program's use of networking: a program could theoretically issue sockets |
| 319 | system calls directly instead of using the C library calls that |
| 320 | .B noip |
| 321 | intercepts. It is intended only as a tool for enhancing the security of |
| 322 | software written by well-meaning programmers who don't understand the |
| 323 | security aspects of writing networking code. |
| 324 | .PP |
| 325 | It's very hard to tell exactly what state a Unix-domain socket is in. |
| 326 | If the filesystem object isn't there, it's not active, but if it |
| 327 | .I is |
| 328 | then the socket might be in use or it might be stale. |
| 329 | .B noip |
| 330 | consults |
| 331 | .B /proc/net/unix |
| 332 | to decide whether a socket is in use, but this can fail in two ways. |
| 333 | Firstly, if the socket is created and renamed, the kernel doesn't |
| 334 | notice, and |
| 335 | .B noip |
| 336 | will think that the new name is stale. Secondly, if the socket is |
| 337 | created, used, unlinked while it's still in use, and recreated, then |
| 338 | .B noip |
| 339 | will think that it's in use when in fact it's gone stale. Don't mess |
| 340 | with |
| 341 | .BR noip 's |
| 342 | sockets unless you know what you're doing. |
| 343 | .PP |
| 344 | The procedure to replace a Unix-domain socket by an Internet one is |
| 345 | fairly thorough, but there are some missing cases. In particular, if |
| 346 | the socket being bound or connected is a duplicate (using |
| 347 | .BR dup (2)) |
| 348 | then only one of the copies will be fixed. Similarly, copies owned by |
| 349 | child processes will be unaffected. |
| 350 | .PP |
| 351 | This manual is surprisingly long and complicated for such a simple hack. |
| 352 | .SH AUTHOR |
| 353 | Mark Wooding, <mdw@distorted.org.uk> |