[tripe] / priv / tripe-privhelper.8.in

.\" -*-nroff-*-
.\".
.\" Manual for the server
.\"
.\" (c) 2008 Straylight/Edgeware
.\"
.
.\"----- Licensing notice ---------------------------------------------------
.\"
.\" This file is part of Trivial IP Encryption (TrIPE).
.\"
.\" TrIPE is free software: you can redistribute it and/or modify it under
.\" the terms of the GNU General Public License as published by the Free
.\" Software Foundation; either version 3 of the License, or (at your
.\" option) any later version.
.\"
.\" TrIPE is distributed in the hope that it will be useful, but WITHOUT
.\" ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
.\" FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
.\" for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with TrIPE.  If not, see <https://www.gnu.org/licenses/>.
.
.\"--------------------------------------------------------------------------
.so ../common/defs.man \" @@@PRE@@@
.
.\"--------------------------------------------------------------------------
.TH tripe-privhelper 8tripe "28 April 2008" "Straylight/Edgeware" "TrIPE: Trivial IP Encryption"
.
.\"--------------------------------------------------------------------------
.SH "NAME"
.
tripe-privhelper \- privilege-separation helper program
.
.\"--------------------------------------------------------------------------
.SH "SYNOPSIS"
.
This program communicates using a binary protocol over a Unix-domain
socket on file descriptor 0.  It is not intended to be run
interactively.
.
.\"--------------------------------------------------------------------------
.SH "DESCRIPTION"
.
The
.BR tripe (8)
server usually needs superuser privileges in order to open new tunnel
devices, through which it collects and emits network packets.  In order
to prevent the whole system needing to be run as root, the server splits
off a child process and then drops its privileges; the child process
runs this program.
.PP
The
.B tripe-privhelper
program reads requests for tunnel devices on file descriptor 0 and
responds with appropriate file descriptors (using Unix-domain socket
file descriptor passing: see
.BR unix (7))
for correctly configured tunnel devices.
.
.\"--------------------------------------------------------------------------
.SH "BUGS"
.
The objective of the privilege separation model is to reduce the attack
surface for the code running with superuser privileges down to a simple
binary protocol.  There may still be bugs in the small program which
runs as root.
.PP
The `unprivileged' portion of the server still runs with the ability to
read and write arbitrary data on tunnel devices.  In particular, if
compromised, it can inject arbitrary packets into the network.  This is
unfortunately inherent in the nature of a VPN server.
.
.\"--------------------------------------------------------------------------
.SH "SEE ALSO"
.
.BR tripe (8).
.PP
.IR "The Trivial IP Encryption Protocol" ,
.IR "The Wrestlers Protocol" .
.
.\"--------------------------------------------------------------------------
.SH "AUTHOR"
.
Mark Wooding, <mdw@distorted.org.uk>
.
.\"----- That's all, folks --------------------------------------------------
Commit	Line	Data
388e0319 MW	1	.\" --nroff--
	2	.\".
	3	.\" Manual for the server
	4	.\"
	5	.\" (c) 2008 Straylight/Edgeware
	6	.\"
	7	.
	8	.\"----- Licensing notice ---------------------------------------------------
	9	.\"
	10	.\" This file is part of Trivial IP Encryption (TrIPE).
	11	.\"
11ad66c2 MW	12	.\" TrIPE is free software: you can redistribute it and/or modify it under
	13	.\" the terms of the GNU General Public License as published by the Free
	14	.\" Software Foundation; either version 3 of the License, or (at your
	15	.\" option) any later version.
388e0319	16	.\"
11ad66c2 MW	17	.\" TrIPE is distributed in the hope that it will be useful, but WITHOUT
	18	.\" ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
	19	.\" FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	20	.\" for more details.
388e0319 MW	21	.\"
388e0319 MW	22	.\" You should have received a copy of the GNU General Public License
11ad66c2	23	.\" along with TrIPE. If not, see <https://www.gnu.org/licenses/>.
388e0319 MW	24	.
388e0319 MW	25	.\"--------------------------------------------------------------------------
e99aedcf	26	.so ../common/defs.man \" @@@PRE@@@
388e0319 MW	27	.
388e0319 MW	28	.\"--------------------------------------------------------------------------
0647ba7c	29	.TH tripe-privhelper 8tripe "28 April 2008" "Straylight/Edgeware" "TrIPE: Trivial IP Encryption"
388e0319 MW	30	.
	31	.\"--------------------------------------------------------------------------
	32	.SH "NAME"
	33	.
	34	tripe-privhelper \- privilege-separation helper program
	35	.
	36	.\"--------------------------------------------------------------------------
	37	.SH "SYNOPSIS"
	38	.
	39	This program communicates using a binary protocol over a Unix-domain
	40	socket on file descriptor 0. It is not intended to be run
	41	interactively.
	42	.
	43	.\"--------------------------------------------------------------------------
	44	.SH "DESCRIPTION"
	45	.
	46	The
	47	.BR tripe (8)
	48	server usually needs superuser privileges in order to open new tunnel
	49	devices, through which it collects and emits network packets. In order
	50	to prevent the whole system needing to be run as root, the server splits
	51	off a child process and then drops its privileges; the child process
	52	runs this program.
	53	.PP
	54	The
	55	.B tripe-privhelper
	56	program reads requests for tunnel devices on file descriptor 0 and
	57	responds with appropriate file descriptors (using Unix-domain socket
	58	file descriptor passing: see
	59	.BR unix (7))
	60	for correctly configured tunnel devices.
	61	.
	62	.\"--------------------------------------------------------------------------
	63	.SH "BUGS"
	64	.
	65	The objective of the privilege separation model is to reduce the attack
	66	surface for the code running with superuser privileges down to a simple
	67	binary protocol. There may still be bugs in the small program which
	68	runs as root.
	69	.PP
	70	The `unprivileged' portion of the server still runs with the ability to
	71	read and write arbitrary data on tunnel devices. In particular, if
	72	compromised, it can inject arbitrary packets into the network. This is
	73	unfortunately inherent in the nature of a VPN server.
	74	.
	75	.\"--------------------------------------------------------------------------
	76	.SH "SEE ALSO"
	77	.
	78	.BR tripe (8).
	79	.PP
	80	.IR "The Trivial IP Encryption Protocol" ,
	81	.IR "The Wrestlers Protocol" .
	82	.
	83	.\"--------------------------------------------------------------------------
	84	.SH "AUTHOR"
	85	.
	86	Mark Wooding, <mdw@distorted.org.uk>
	87	.
	88	.\"----- That's all, folks --------------------------------------------------