1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
|
.\" Hey, Emacs! This is an -*- nroff -*- source file.
.\" Authors: Ian Jackson
.\"
.\" authbind is Copyright (C) 1998 Ian Jackson
.\"
.\" This program is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation; either version 2, or (at your option)
.\" any later version.
.\"
.\" This program is distributed in the hope that it will be useful,
.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
.\" GNU General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program; if not, write to the Free Software Foundation,
.\" Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
.\"
.TH AUTHBIND 1 "30th August 1998" "Debian Project" "Debian Linux manual"
.SH NAME
authbind \- bind sockets to privileged ports without root
.SH SYNOPSIS
.BR authbind
.RI [ options "] " program " [" argument " ...]"
.SH DESCRIPTION
.B authbind
allows a program which does not or should not run as root to bind to
low-numbered ports in a controlled way.
.PP
You must invoke the program using
.BR authbind ". " authbind
will set up some environment variables, including an
.BR LD_PRELOAD ,
which will allow the program (including any subprocesses it may run)
to bind to low-numbered (<512) ports if the system is configured to
allow this.
.SH OPTIONS
.TP
.B --deep
Normally,
.B authbind
arranges for only the program which it directly invokes to be affected
by its special version of
.BR bind (2).
If you specify
.B --deep
then all programs which that program invokes directly or indirectly
will be affected, so long as they do not unset the environment
variables set up by
.BR authbind .
.TP
.BI --depth " levels"
Causes
.B authbind
to affect programs which are
.I levels
deep in the calling graph. The default is
.BR "--depth 1" .
.SH ACCESS CONTROL
Access to low numbered ports is controlled by permissions and contents
of files in a configuration area,
.BR /etc/authbind .
.PP
Firstly,
.BI /etc/authbind/byport/ port
is tested. If this file is accessible for execution to the calling
user, according to
.BR access (2),
then binding to the port is authorised. If the file can be seen not
to exist (the existence check returns
.BR ENOENT )
then further tests will be used to find authorisation; otherwise,
binding is not authorised, and the
.B bind
call will return with the
.B errno
value from the
.BR access (2)
call, usually
.B EACCES
.RI ( "Permission denied" ).
.PP
Secondly, if that test fails to resolve the matter,
.BI /etc/authbind/byaddr/ addr , port
(any protocol) or failing that
.BI /etc/authbind/byaddr/ addr : port
(IPv4 only)
is tested, in the same manner as above. Here
.I addr
is as from
.BR inet_ntop ,
and
.I port
is the (local) TCP or UDP port number, expressed as an unsigned
integer in the minimal non-zero number of digits.
.PP
Thirdly, for IPv6 only: since the textual representation from
.B inet_ntop
is complicated to predict, a variant of
.I addr
is also tested which does not use the double colon abbreviation:
each 16-byte chunk expressed in the minimal nonzero number
of hex digits (i.e. with leading zeroes removed), the chunks
being separated by colons as is conventional.
.PP
Fourthly, if the question is still unresolved, the file
.BI /etc/authbind/byuid/ uid
will be opened and read. If the file does not exist then the binding
is not authorised and
.B bind
will return
.B EPERM
.RI ( "Operation not permitted" ", or " "Not owner" ).
If the file does exist it will be searched for a line of the form
.nf
.IR addrmin [\fB\-\fR addrmax ]\fB,\fR portmin [\fB\-\fR portmax ]
.IR addr [\fB/\fR length ]\fB,\fR portmin [\fB\-\fR portmax ]
.IB addr4 / length : portmin , portmax
.fi
matching the request.
The first form requires that the address lies in the
relevant range (inclusive at both ends).
The second and third forms require that the initial
.I length
bits of
.I addr
match those in the proposed
.B bind
call. The third form is only available for IPv4 since IPv6 addresses
contain colons.
Addresses in the byuid file can
be in any form acceptable to inet_pton. In all cases
the proposed port number must lie is in the inclusive range
specified. If such a line is found then the binding is authorised.
Otherwise it is not, and
.B bind
will fail with
.B ENOENT
.RI ( "No such file or directory" ).
.PP
If a read error occurs, or the directory
.B /etc/authbind
cannot be accessed, then not only will
.B bind
fail, but an error message will be printed to stderr. Unrecognised
lines in
.BI /etc/authbind/byuid/ uid
files are silently ignored, as are lines whose
.I addr
has non-zero bits more than
.I length
from the top or where some
.I min
is larger than
.IR max .
.SH EXAMPLE
So for example an attempt by uid 432
to bind to port 80 of address [2620:106:e002:f00f::21]
would result in authbind calling
.I access(2)
on, in order,
.RS
.B /etc/authbind/byport/80
.br
.B /etc/authbind/byaddr/2620:106:e002:f00f::21,80
.br
.B /etc/authbind/byaddr/2620:106:e002:f00f:0:0:0:21,80
.RE
If none of these files exist, authbind will read
.RS
.B /etc/authbind/byuid/432
.RE
and search for a line to permit
the relevant access; examples of lines which would do so are:
.RS
.B 2620:106:e002:f00f::21,80
.br
.B ::/0,80
.RE
.SH PORTS 512-1023
Authorising binding to ports from 512 to 1023 inclusive is
not recommended. Some protocols (including some versions of NFS)
authorise clients by seeing that they are using a port number in this
range. So by authorising a program to be a server for such a port,
you are also authorising it to impersonate the whole host for those
protocols.
To make sure that this isn't done by accident,
if the port number requested is in the range 512-1023, authbind
will expect the permission files to have an additional
.B !
at the start of their leafname.
.SH MECHANISM
The shared library loaded using
.B LD_PRELOAD
overrides the
.BR bind (2)
system call. When a program invoked via
.B authbind
calls
.B bind
to bind a socket to a low-numbered TCP/IP port, and if the program
doesn't already have an effective uid of 0, the version of
.B bind
supposed by
.B authbind
forks and executes a setuid-root helper program. For non-TCP/IP
sockets, high-numbered ports, or programs which are already root,
.B authbind
passes the call to the original
.BR bind (2)
system call, which is found using
.BR dlsym (3)
with the handle
.BR RTLD_NEXT .
.PP
.SH ERROR HANDLING
Usually the normal C error handling mechanisms apply. If
.B authbind
cannot find the program it has been asked to execute it will print a
message to stderr and exit with code 255.
.PP
The helper program usually reports back to the shared library with an
exit status containing an
.B errno
value which encodes whether the
.B bind
was permitted and successful. This will be returned to the calling
program in the usual way.
.PP
In the case of apparent configuration or other serious errors the
library and/or the helper program may cause messages to be printed to
the program's stderr, was well as returning -1 from
.BR bind .
.SH BUGS
.B authbind
currently only supports IPv4 and IPv6 sockets.
Programs which open other kinds
of sockets will not benefit from
.BR authbind ,
but it won't get in their way.
.PP
The use of
.B LD_PRELOAD
makes an
.B authbind
installation specific to a particular C library. This version is for
GNU/Linux libc6 (glibc2).
.PP
.B authbind
may not operate correctly with multithreaded programs. It is
inherently very difficult (if not impossible) to perform the kind of
trickery that authbind does while preventing all undesirable
interactions between authbind's activities and those of (say) a
threading runtime system.
.PP
It is quite possible that
.B authbind
and other programs and facilities which use
.B LD_PRELOAD
may interfere with each other, causing unpredictable behaviour or even
core dumps.
.B authbind
is known sometimes not to work correctly with
.BR fakeroot ,
for example (even supposing it could be determined what `correctly'
means in this context).
.PP
.B authbind
is ineffective with setuid programs, because they do not honour
.B LD_PRELOAD
references outside the system directories, for security reasons. (In
fact, setuid programs should not honour
.B LD_PRELOAD
at all.)
Of course a setuid-root program does not need
.BR authbind ,
but it might be useful to apply it to program which are setuid to
another user or setgid. If the author or builder of such a programs
wishes it to use authbind they could have it load the
.B libauthbind
library explicitly rather than via
.BR LD_PRELOAD .
.PP
Some programs may have trouble because
.B authbind
spawns a child process `under their feet', causing (for example) a
.BR fork (2)
to happen and
.B SIGCHLD
signal to be delivered. Unfortunately the Unix API does not make
it possible to deal with this problem in a sane way.
.PP
The access control configuration scheme is somewhat strange.
.SH FILES AND ENVIRONMENT VARIABLES
.TP
.I /usr/lib/authbind/libauthbind.so.1.0
The shared library which
.B authbind
causes to be loaded using
.BR LD_PRELOAD ,
and which actually implements the diversion of
.BR bind (2)
to an external program.
.TP
.I LD_PRELOAD
The variable used by the dynamic linker when starting dynamically
linked programs and deciding which shared libraries to load and
modifed by the
.B authbind
program to allow it to override the usual meaning of
.BR bind (2) .
.TP
.I AUTHBIND_LIB
If set, forces
.B authbind
to use its value as the path to the shared library to put in
.BR LD_PRELOAD ,
instead of the compiled-in value. In any case, unless
.B --deep
was specified,
.B authbind
will set this variable to the name of the library actually added to
.BR LD_PRELOAD ,
so that the library can find and remove the right entry.
.TP
.I AUTHBIND_LEVELS
This variable is set by
.B authbind
to the number of levels left from the
.B --depth
or
.B --deep
option, minus one. It is decremented during
.B _init
by the library on each program call, and the library will remove
itself from the
.B LD_PRELOAD
when it reaches zero. The special value
.B y
means
.B --deep
was specified.
.SH SEE ALSO
.BR bind (2),
.BR authbind\-helper (8),
.BR dlsym (3),
.BR ld.so (8)
.SH AUTHOR
.B authbind
and this manpage were written by Ian Jackson. They are
Copyright (C)1998,2012
by him and released under the GNU General Public Licence; there is NO
WARRANTY. See
.B /usr/doc/authbind/copyright
and
.B /usr/doc/copyright/GPL
for details.
|
