0

I want the user who starts the listening process on the port on the loopback interface to be the only user who can connect to this port. Reserving the port. No authentication.

I want other users to be able to be able to do the same on any available loopback ports.

Is there any mechanism such as selinux or apparmor capable of achieving this?

[EDIT] Just to clarify, the scenario is cntlm on a multi-user machine. Each user is using cntlm to authenticate against a proxy with their own credentials to a unique port on the loopback interface. I'm trying to find a way to isolate this so users can't connect use each others proxy connections.

David Diggles
  • 1
  • 1
  • I just found this can be done with iptables https://unix.stackexchange.com/questions/486945/restrict-local-port-access-to-a-specific-user – David Diggles Jan 20 '22 at 21:32
  • If your edit changed from an arbitrary port from any user to a fixed list of ports matching a fixed list of users, then it greatly simplified the problem. – A.B Jan 20 '22 at 22:49

2 Answers2

2

If by loopback you mean a network connection only to localhost, consider AF_UNIX sockets. AKA UNIX domain sockets. AKA that non-IP way you can connect to PostgreSQL or MySQL databases.

On Linux, this has the advantage of respecting file permissions. Without write to the socket as your user, it will not work. Probably, this behavior isn't standardized.

IP networks do not carry the operating system user ID of who made the packet. Maybe in a nftables firewall rule you can filter on uid, but only in a host firewall, for local sockets. Better would be some authentication protocol.

John Mahowald
  • 30,009
  • 1
  • 17
  • 32
  • If the behavior is described in POSIX (https://pubs.opengroup.org/onlinepubs/9699919799/functions/connect.html see EACCES) it's quite standardized behavior. – A.B Jan 19 '22 at 07:04
  • man 7 unix on Linux warns that "on some systems (e.g., older BSDs), the socket permissions are ignored". May be a legacy thing, but worth investigating if this a portable application with no authentication at all. – John Mahowald Jan 19 '22 at 14:41
0

Iptables does exactly what I wanted to do. Here's an iptables example that I've tested and works. I just need to write a wrapper to sandwich the cntlm command in the iptables commands. I could call it lunch.sh

# To reserve port 7777 on lo to a user "foo"
iptables -I OUTPUT -o lo -p tcp --dport 7777 -j DROP
iptables -I OUTPUT -o lo -p tcp --dport 7777 --match-owner --uid-owner foo -j ACCEPT

# To release the port 
iptables -D OUTPUT -o lo -p tcp --dport 7777 -j DROP
iptables -D OUTPUT -o lo -p tcp --dport 7777 --match-owner --uid-owner foo -j ACCEPT
David Diggles
  • 1
  • 2