ucspi-socket-rules-check

Name

ucspi-socket-rules-check — check local socket connections against access control rules

Synopsis

ucspi-socket-rules-check [--verbose] {next-prog}

Description

ucspi-socket-rules-check expects a process environment that has been set up per the UCSPI conventions by local-stream-socket-accept(1) or tcp-socket-accept(1). It checks what is contained in the environment against a database of access control rules, and (if the access checks pass) it then chain loads to next-prog with the execvp(3) function. If the access checks fail, it exits without running anything.

next-prog may contain its own command line options, which ucspi-socket-rules-check will ignore.

Searching for access control rules

Overall behaviour is guided by the value of the PROTO environment variable.

  • If PROTO has the value UNIX:

    1. If a directory named uid/$UNIXREMOTEUID exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory).

    2. If a directory named gid/$UNIXREMOTEGID exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory).

    3. If a directory named uid/default exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory).

    4. Otherwise access is denied.

  • If PROTO has the value TCP:

    1. A group of directories, forming progressively larger supernets of the IP address, are checked.

      • If the value of TCPREMOTEIP is a human-readable IPv4 address, then, for each prefix length N from 32 down to 0 an IP string is constructed using the netmask $TCPREMOTEIP/$N, and if a directory named ip4/$IP_$N exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory).

        Thus ip4/0.0.0.0_0 is a catch-all rule.

      • If the value of TCPREMOTEIP is a human-readable IPv6 address, then, for each prefix length N from 128 down to 0 an IP string is constructed using the netmask $TCPREMOTEIP/$N, and if a directory named ip6/$IP_$N exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory).

        Thus ip6/::_0 is a catch-all rule.

    2. Otherwise access is denied.

  • If PROTO has the value TCP6:

    1. A group of directories, forming progressively larger supernets of the IP address, are checked.

      • If the value of TCP6REMOTEIP is a human-readable IPv4 address, then, for each prefix length N from 32 down to 0 an IP string is constructed using the netmask $TCP6REMOTEIP/$N, and if a directory named ip4/$IP_$N exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory).

        Thus ip4/0.0.0.0_0 is a catch-all rule.

      • If the value of TCP6REMOTEIP is a human-readable IPv6 address, then, for each prefix length N from 128 down to 0 an IP string is constructed using the netmask $TCP6REMOTEIP/$N, and if a directory named ip6/$IP_$N exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory).

        Thus ip6/::_0 is a catch-all rule.

    2. Otherwise access is denied.

  • Otherwise access is denied.

Access control rule directories

In any given directory:

  • If a file named allow exists then access is granted.

  • If a file named deny exists then access is denied.

  • Otherwise access is neither granted nor denied.

Author

Jonathan de Boyne Pollard