ucspi-socket-rules-check — check local socket connections against access control rules
ucspi-socket-rules-check
[--verbose] {next-prog
}
ucspi-socket-rules-check expects a process environment
that has been set up per the UCSPI conventions by
local-stream-socket-accept(1)
or
tcp-socket-accept(1).
It checks what is contained in the environment against a database of access
control rules, and (if the access checks pass)
it then chain loads to
next-prog
with the
execvp(3)
function.
If the access checks fail, it exits without running anything.
next-prog
may contain its own command line options, which ucspi-socket-rules-check will ignore.
Overall behaviour is guided by the value of the PROTO
environment
variable.
If PROTO
has the value UNIX
:
If the value of UNIXREMOTEEUID
is the same as the process's effective UID and a directory named uid/self/
exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory).
If the value of UNIXREMOTEEGID
is the same as the process's effective GID and a directory named gid/self/
exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory).
If a directory named uid/
exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory).
$UNIXREMOTEEUID
If a directory named gid/
exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory).
$UNIXREMOTEEGID
If a directory named uid/default
exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory).
Otherwise access is denied.
If PROTO
has the value TCP
:
A group of directories, forming progressively larger supernets of the IP address, are checked.
If the value of TCPREMOTEIP
is a human-readable IPv4 address,
then, for each prefix length N
from 32 down to 0 an IP
string
is constructed using the netmask
,
and if a directory named
$TCPREMOTEIP
/$N
ip4/
exists then access is granted according to the directory contents (continuing
to search if access is neither granted nor denied by the directory).
$IP
_$N
Thus ip4/0.0.0.0_0
is a catch-all rule.
If the value of TCPREMOTEIP
is a human-readable IPv6 address,
then, for each prefix length N
from 128 down to 0 an IP
string
is constructed using the netmask
,
and if a directory named
$TCPREMOTEIP
/$N
ip6/
exists then access is granted according to the directory contents (continuing
to search if access is neither granted nor denied by the directory).
$IP
_$N
Thus ip6/::_0
is a catch-all rule.
Otherwise access is denied.
If PROTO
has the value TCP6
:
A group of directories, forming progressively larger supernets of the IP address, are checked.
If the value of TCP6REMOTEIP
is a human-readable IPv4 address,
then, for each prefix length N
from 32 down to 0 an IP
string
is constructed using the netmask
,
and if a directory named
$TCP6REMOTEIP
/$N
ip4/
exists then access is granted according to the directory contents (continuing
to search if access is neither granted nor denied by the directory).
$IP
_$N
Thus ip4/0.0.0.0_0
is a catch-all rule.
If the value of TCP6REMOTEIP
is a human-readable IPv6 address,
then, for each prefix length N
from 128 down to 0 an IP
string
is constructed using the netmask
,
and if a directory named
$TCP6REMOTEIP
/$N
ip6/
exists then access is granted according to the directory contents (continuing
to search if access is neither granted nor denied by the directory).
$IP
_$N
Thus ip6/::_0
is a catch-all rule.
Otherwise access is denied.
Otherwise access is denied.