dacinet Command

Purpose

Administers security on TCP ports in CAPP/EAL4+ configuration.

Syntax

dacinet aclflush

dacinet aclclear Service | Port

dacinet acladd Service | [-] addr [/prefix_length] [u:user | uid | g:group | gid]

dacinet acldel Service | [-] addr [/prefix_length] [u:user | uid | g:group | gid]

dacinet aclls Service | Port

dacinet setpriv Service | Port

dacinet unsetpriv Service | Port

dacinet lspriv

Description

The dacinet command is used to administer security on TCP ports. See the Subcommands section for details of the various functions of dacinet.

Subcommands

Item Description
acladd Adds ACL entries to the kernel tables holding access control lists used by DACinet. The syntax of the parameters for the acladd subcommand is:

[-]addr[/length][u:user|uid| g:group|gid]

The parameters are defined as follows:
addr
A DNS hostname or an IP v4/v6 address. A "-" before the address means that this ACL entry is used to deny access rather than to allow access.
length
Indicates that addr is to be used as a network address rather than host address, with its first length bits taken from addr.
u:user|uid
Optional user identifier. If the uid is not specified, all users on the specified host or subnet are given access to the service. If supplied, only the specified user is given access.
g:group|gid
Optional group identifier. If the gid is not specified, all users on the specified host or subnet are given access to the service. If supplied, only the specified group is given access.
aclclear Clears the ACL for specified service or port.
acldel Deletes ACL entries from the kernel tables holding access control lists used by DACinet. The dacinet acldel subcommand deletes an entry from an ACL only if it is issued with parameters that exactly match the ones that were used to add the entry to the ACL. The syntax of the parameters for the acldel subcommands is as follows:

[-]addr[/length][u:user|uid| g:group|gid]

The parameters are defined as follows:
addr
A DNS hostname or an IP v4/v6 address. A "-" before the address means that this ACL entry is used to deny access rather than to allow access.
length
Indicates that addr is to be used as a network address rather than host address, with its first length bits taken from addr.
u:user|uid
Optional user identifier. If the uid is not specified, all users on the specified host or subnet are given access to the service. If supplied, only the specified user is given access.
g:group|gid
Optional group identifier. If the gid is not specified, all users on the specified host or subnet are given access to the service. If supplied, only the specified group is given access.
aclflush Clears all the ACLs defined in the system, rendering all TCP ports inaccessible to connection requests except from the root user on the host. It also clears privileged ports such that any process can bind to any port above 1024.
aclls Lists the ACL for the specified service or port. dacinet aclls 0 lists the default ACL. For authentication processing, from a logical perspective, the default ACL is appended to the ACL for the service. If no entry on the ACL matches the user attempting a connection to the service, access is denied. If one or more entries exist, the first one on the list with a user|group@host|subnet that matches the connection requestor determines the user's ability to connect to the service. It is thus possible to deny a service to a member of a group that has access to the service merely by adding a deny entry for that member before adding the allow entry for the group.
lspriv Lists all the privileged services or ports that are not permanently privileged (that is, it lists only privileged services with port numbers above 1024).
setpriv Makes the specified service or port privileged such that only a process with superuser privileges may bind to the port and thereby offer a service on that port. Ports below 1024 are ignored as they are permanently privileged.
unsetpriv Makes the specified service or port unprivileged such that any process may bind to it. Any process may also bind to any port in the current ephemeral port range, regardless of whether that port is marked as privileged.

Files

Item Description
/usr/sbin/dacinet Contains the dacinet command.