ucspi-socket-rules-check 1 user commands nosh ucspi-socket-rules-check check local socket connections against access control rules ucspi-socket-rules-check --verbose next-prog ucspi-socket-rules-check expects a process environment that has been set up per the UCSPI conventions by local-stream-socket-accept1 or tcp-socket-accept1. It checks what is contained in the environment against a database of access control rules, and (if the access checks pass) it then chain loads to next-prog with the execvp3 function. If the access checks fail, it exits without running anything. next-prog may contain its own command line options, which ucspi-socket-rules-check will ignore. Overall behaviour is guided by the value of the PROTO environment variable. If PROTO has the value UNIX: If the value of UNIXREMOTEEUID is the same as the process's effective UID and a directory named uid/self/ exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory). If the value of UNIXREMOTEEGID is the same as the process's effective GID and a directory named gid/self/ exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory). If a directory named uid/$UNIXREMOTEEUID exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory). If a directory named gid/$UNIXREMOTEEGID exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory). If a directory named uid/default exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory). Otherwise access is denied. If PROTO has the value TCP: A group of directories, forming progressively larger supernets of the IP address, are checked. If the value of TCPREMOTEIP is a human-readable IPv4 address, then, for each prefix length N from 32 down to 0 an IP string is constructed using the netmask $TCPREMOTEIP/$N, and if a directory named ip4/$IP_$N exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory). Thus ip4/0.0.0.0_0 is a catch-all rule. If the value of TCPREMOTEIP is a human-readable IPv6 address, then, for each prefix length N from 128 down to 0 an IP string is constructed using the netmask $TCPREMOTEIP/$N, and if a directory named ip6/$IP_$N exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory). Thus ip6/::_0 is a catch-all rule. Otherwise access is denied. If PROTO has the value TCP6: A group of directories, forming progressively larger supernets of the IP address, are checked. If the value of TCP6REMOTEIP is a human-readable IPv4 address, then, for each prefix length N from 32 down to 0 an IP string is constructed using the netmask $TCP6REMOTEIP/$N, and if a directory named ip4/$IP_$N exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory). Thus ip4/0.0.0.0_0 is a catch-all rule. If the value of TCP6REMOTEIP is a human-readable IPv6 address, then, for each prefix length N from 128 down to 0 an IP string is constructed using the netmask $TCP6REMOTEIP/$N, and if a directory named ip6/$IP_$N exists then access is granted according to the directory contents (continuing to search if access is neither granted nor denied by the directory). Thus ip6/::_0 is a catch-all rule. Otherwise access is denied. Otherwise access is denied. In any given directory: If a file named allow exists then access is granted. If a file named settings exists then it is read into the process's environment as if by read-conf1. The settings file can be used, for example, to set the AXFR environment variable for axfrdns1. If a file named deny exists then access is denied. Otherwise access is neither granted nor denied. Jonathan de Boyne Pollard