Name

ucspi-socket-rules-check — check local socket connections against access control rules

Synopsis

ucspi-socket-rules-check [--verbose] {next-prog}

Description

ucspi-socket-rules-check expects a process environment that has been set up per the UCSPI conventions by local-stream-socket-accept(1) or tcp-socket-accept(1). It checks what is contained in the environment against a database of access control rules, and (if the access checks pass) it then chain loads to next-prog with the execvp(3) function. If the access checks fail, it exits without running anything.

next-prog may contain its own command line options, which ucspi-socket-rules-check will ignore.

Searching for access control rules

Overall behaviour is guided by the value of the PROTO environment variable.

  • If PROTO has the value UNIX:

    1. If the value of UNIXREMOTEEUID is the same as the process's effective UID and a directory named uid/self/ exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory).

    2. If the value of UNIXREMOTEEGID is the same as the process's effective GID and a directory named gid/self/ exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory).

    3. If a directory named uid/$UNIXREMOTEEUID exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory).

    4. If a directory named gid/$UNIXREMOTEEGID exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory).

    5. If a directory named uid/default exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory).

    6. Otherwise access is denied.

  • If PROTO has the value TCP:

    1. A group of directories, forming progressively larger supernets of the IP address, are checked.

      • If the value of TCPREMOTEIP is a human-readable IPv4 address, then, for each prefix length N from 32 down to 0 an IP string is constructed using the netmask $TCPREMOTEIP/$N, and if a directory named ip4/$IP_$N exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory).

        Thus ip4/0.0.0.0_0 is a catch-all rule.

      • If the value of TCPREMOTEIP is a human-readable IPv6 address, then, for each prefix length N from 128 down to 0 an IP string is constructed using the netmask $TCPREMOTEIP/$N, and if a directory named ip6/$IP_$N exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory).

        Thus ip6/::_0 is a catch-all rule.

    2. Otherwise access is denied.

  • If PROTO has the value TCP6:

    1. A group of directories, forming progressively larger supernets of the IP address, are checked.

      • If the value of TCP6REMOTEIP is a human-readable IPv4 address, then, for each prefix length N from 32 down to 0 an IP string is constructed using the netmask $TCP6REMOTEIP/$N, and if a directory named ip4/$IP_$N exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory).

        Thus ip4/0.0.0.0_0 is a catch-all rule.

      • If the value of TCP6REMOTEIP is a human-readable IPv6 address, then, for each prefix length N from 128 down to 0 an IP string is constructed using the netmask $TCP6REMOTEIP/$N, and if a directory named ip6/$IP_$N exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory).

        Thus ip6/::_0 is a catch-all rule.

    2. Otherwise access is denied.

  • Otherwise access is denied.

Access control rule directories

In any given directory:

  • If a file named allow exists then access is granted.

  • If a file named deny exists then access is denied.

  • Otherwise access is neither granted nor denied.

Author

Jonathan de Boyne Pollard