dacinet Command

Purpose

Administers security on TCP ports in CAPP/EAL4+ configuration.

Syntax

dacinet aclflush

dacinet aclclear Service | Port

dacinet acladd Service | [-] addr [/prefix_length] [u:user | uid | g:group | gid]

dacinet acldel Service | [-] addr [/prefix_length] [u:user | uid | g:group | gid]

dacinet aclls Service | Port

dacinet setpriv Service | Port

dacinet unsetpriv Service | Port

dacinet lspriv

Description

The dacinet command is used to administer security on TCP ports. See the Subcommands section for details of the various functions of dacinet.

Subcommands

Item	Description
acladd	Adds ACL entries to the kernel tables that hold access control lists used by the dacinet command. The syntax of the parameters for the acladd subcommand follow: [-]`addr`[/`length`][u:`user`\|`uid`\| g:`group`\|`gid`] The parameters are defined as follows: `addr` A DNS host name or an IPv4 (or IPv6) address. A "-" before the address means that this ACL entry is used to deny access rather than to allow access. `length` Indicates that `addr` is to be used as a network address rather than host address, with its first `length` bits taken from `addr`. u:`user`\|`uid` Optional user identifier. If the `uid` is not specified, all users on the specified host or subnet are given access to the service. If supplied, only the specified user is given access. g:`group`\|`gid` Optional group identifier. If the `gid` is not specified, all users on the specified host or subnet are given access to the service. If supplied, only the specified group is given access.
aclclear	Clears the ACL for specified service or port.
acldel	Deletes ACL entries from the kernel tables that hold access control lists used by the dacinet command. The dacinet acldel subcommand deletes an entry from an ACL only if it is issued with parameters that exactly match the ones that were used to add the entry to the ACL. The syntax of the parameters for the acldel subcommands is as follows: [-]`addr`[/`length`][u:`user`\|`uid`\| g:`group`\|`gid`] The parameters are defined as follows: `addr` A DNS host name or an IPv4 (or IPv6) address. A "-" before the address means that this ACL entry is used to deny access rather than to allow access. `length` Indicates that `addr` is to be used as a network address rather than host address, with its first `length` bits taken from `addr`. u:`user`\|`uid` Optional user identifier. If the `uid` is not specified, all users on the specified host or subnet are given access to the service. If supplied, only the specified user is given access. g:`group`\|`gid` Optional group identifier. If the `gid` is not specified, all users on the specified host or subnet are given access to the service. If supplied, only the specified group is given access.
aclflush	Clears all the ACLs defined in the system, rendering all TCP ports inaccessible to connection requests except from the root user on the host. It also clears privileged ports such that any process can bind to any port above 1024.
aclls	Lists the ACL for the specified service or port. The dacinet aclls 0 lists the default ACL. For authentication processing, from a logical perspective, the default ACL is appended to the ACL for the service. If no entry on the ACL matches the user who is attempting a connection to the service, access is denied. If one or more entries exist, the first one on the list with a `user`\|`group`@`host`\|`subnet` that matches the connection requester determines the user's ability to connect to the service. It is thus possible to deny a service to a member of a group that has access to the service merely by adding a deny entry for that member before you add the allow entry for the group.
lspriv	Lists all the privileged services or ports that are not permanently privileged (that is, it lists only privileged services with port numbers above 1024).
setpriv	Makes the specified service or port privileged such that only a process with superuser privileges might bind to the port and offer a service on that port. Ports below 1024 are ignored as they are permanently privileged.
unsetpriv	Makes the specified service or port unprivileged such that any process might bind to it. Any process might also bind to any port in the current ephemeral port range, regardless of whether that port is marked as privileged.

Files

Item	Description
/usr/sbin/dacinet	Contains the dacinet command.