summaryrefslogtreecommitdiff
path: root/usr/src/man/man1/nc.1
diff options
context:
space:
mode:
Diffstat (limited to 'usr/src/man/man1/nc.1')
-rw-r--r--usr/src/man/man1/nc.1910
1 files changed, 910 insertions, 0 deletions
diff --git a/usr/src/man/man1/nc.1 b/usr/src/man/man1/nc.1
new file mode 100644
index 0000000000..0aab2f1f71
--- /dev/null
+++ b/usr/src/man/man1/nc.1
@@ -0,0 +1,910 @@
+'\" te
+.\" Copyright (c) 1996 David Sacerdote All rights reserved.
+.\" Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The name of the author may not be used to endorse or promote products derived from this
+.\" software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\" Portions Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
+.TH nc 1 "Apr 9 2009" "SunOS 5.11" "User Commands"
+.SH NAME
+nc \- arbitrary TCP and UDP connections and listens
+.SH SYNOPSIS
+.LP
+.nf
+\fBnc\fR \fB-h\fR
+.fi
+
+.LP
+.nf
+\fBnc\fR [\fB-46dnrtuvz\fR] [\fB-i\fR \fIinterval\fR] [\fB-P\fR \fIproxy_username\fR] [\fB-p\fR \fIport\fR]
+ [\fB-s\fR \fIsource_ip_address\fR] [\fB-T\fR \fIToS\fR] [\fB-w\fR \fItimeout\fR]
+ [\fB-X\fR \fIproxy_protocol\fR] [\fB-x\fR \fIproxy_address\fR[:\fIport\fR]]
+ \fIhostname\fR \fIport_list\fR
+.fi
+
+.LP
+.nf
+\fBnc\fR \fB-l\fR [\fB-46Ddnrtuvz\fR] [\fB-i\fR \fIinterval\fR] [\fB-T\fR \fIToS\fR] [\fIhostname\fR] \fIport\fR
+.fi
+
+.LP
+.nf
+\fBnc\fR \fB-l\fR [\fB-46Ddnrtuvz\fR] [\fB-i\fR \fIinterval\fR] [\fB-T\fR \fIToS\fR] \fB-p\fR \fIport\fR
+.fi
+
+.LP
+.nf
+\fBnc\fR \fB-U\fR [\fB-Ddtvz\fR] [\fB-i\fR \fIinterval\fR] [\fB-w\fR \fItimeout\fR] \fIpath\fR
+.fi
+
+.LP
+.nf
+\fBnc\fR \fB-Ul\fR [\fB-46Ddktv\fR] [\fB-i\fR \fIinterval\fR] \fIpath\fR
+.fi
+
+.SH DESCRIPTION
+.sp
+.LP
+The \fBnc\fR (or \fBnetcat\fR) utility is used for a variety of tasks
+associated with TCP or UDP. \fBnc\fR can open TCP connections, send UDP
+packets, listen on arbitrary TCP and UDP ports, perform port scanning, and deal
+with both IPv4 and IPv6. Unlike \fBtelnet\fR(1), \fBnc\fR scripts nicely, and
+separates error messages onto standard error instead of sending them to
+standard output.
+.sp
+.LP
+The \fBnc\fR command is often used for the following tasks:
+.RS +4
+.TP
+.ie t \(bu
+.el o
+simple TCP proxies
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+shell-script based HTTP clients and servers
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+network daemon testing
+.RE
+.RS +4
+.TP
+.ie t \(bu
+.el o
+a SOCKS or HTTP \fBProxyCommand\fR for \fBssh\fR(1)
+.RE
+.SH OPTIONS
+.sp
+.LP
+The following options are supported:
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-4\fR\fR
+.ad
+.sp .6
+.RS 4n
+Force \fBnc\fR to use IPv4 addresses only.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-6\fR\fR
+.ad
+.sp .6
+.RS 4n
+Force \fBnc\fR to use IPv6 addresses only.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-D\fR\fR
+.ad
+.sp .6
+.RS 4n
+Enable debugging on the socket.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-d\fR\fR
+.ad
+.sp .6
+.RS 4n
+Do not attempt to read from \fBstdin\fR.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-h\fR\fR
+.ad
+.sp .6
+.RS 4n
+Print \fBnc\fR help.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-i\fR \fIinterval\fR\fR
+.ad
+.sp .6
+.RS 4n
+Specify a delay time of \fIinterval\fR between lines of text sent and received.
+This option also causes a delay time between connections to multiple ports.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-k\fR\fR
+.ad
+.sp .6
+.RS 4n
+Force \fBnc\fR to listen for another connection after its current connection is
+closed.
+.sp
+It is an error to use this option without the \fB-l\fR option.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-l\fR\fR
+.ad
+.sp .6
+.RS 4n
+Listen for an incoming connection rather than initiate a connection to a remote
+host.
+.sp
+It is an error to use this option in conjunction with the \fB-s\fR or \fB-z\fR
+options. Additionally, any \fItimeout\fR specified with the \fB-w\fR option is
+ignored.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-n\fR\fR
+.ad
+.sp .6
+.RS 4n
+Do not do any naming or service lookups on any addresses, hostnames, or ports.
+.sp
+Use of this option means that \fIhostname\fR and \fIport\fR arguments are
+restricted to numeric values.
+.sp
+If used with \fB-v\fR option all addresses and ports are printed in numeric
+form, in addition to the restriction imposed on the arguments. This option does
+not have any effect when used in conjunction with the \fB-U\fR option.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-P\fR \fIproxy_username\fR\fR
+.ad
+.sp .6
+.RS 4n
+Specify a username (\fIproxy_username\fR) to present to a proxy server that
+requires authentication. If \fIproxy_username\fR is not specified,
+authentication is not attempted. Proxy authentication is only supported for
+\fBHTTP CONNECT\fR proxies at present.
+.sp
+It is an error to use this option in conjunction with the \fB-l\fR option.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-p\fR \fIport\fR\fR
+.ad
+.sp .6
+.RS 4n
+When used without \fB-l\fR option, specify the source port \fBnc\fR should use,
+subject to privilege restrictions and availability. When used with the \fB-l\fR
+option, set the listen port.
+.sp
+This option can be used with \fB-l\fR option only provided global port argument
+is not specified.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-r\fR\fR
+.ad
+.sp .6
+.RS 4n
+Choose source or destination ports randomly instead of sequentially within a
+range or in the order that the system assigns them.
+.sp
+It is an error to use this option in conjunction with the \fB-l\fR option.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-s\fR \fIsource_ip_address\fR\fR
+.ad
+.sp .6
+.RS 4n
+Specify the IP of the interface which is used to send the packets.
+.sp
+It is an error to use this option in conjunction with the \fB-l\fR option.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-T\fR \fIToS\fR\fR
+.ad
+.sp .6
+.RS 4n
+Specify IP Type of Service (\fBToS\fR) for the connection. Valid values are the
+tokens: \fBlowdelay\fR, \fBthroughput\fR, \fBreliability\fR, or an 8-bit
+hexadecimal value preceded by \fB0x\fR.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-t\fR\fR
+.ad
+.sp .6
+.RS 4n
+Cause \fBnc\fR to send \fIRFC 854\fR \fBDON'T\fR and \fBWON'T\fR responses to
+\fIRFC 854\fR \fBDO\fR and \fBWILL\fR requests. This makes it possible to use
+\fBnc\fR to script \fBtelnet\fR sessions.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-U\fR\fR
+.ad
+.sp .6
+.RS 4n
+Specify the use of Unix Domain Sockets. If you specify this option without
+\fB-l\fR, \fBnc\fR, it becomes \fBAF_UNIX\fR client. If you specify this option
+with the \fB-l\fR option, a \fBAF_UNIX\fR server is created.
+.sp
+Use of this option requires that a single argument of a valid Unix domain path
+has to be provided to \fBnc\fR, not a host name or port.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-u\fR\fR
+.ad
+.sp .6
+.RS 4n
+Use UDP instead of the default option of TCP.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-v\fR\fR
+.ad
+.sp .6
+.RS 4n
+Specify verbose output.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-w\fR \fItimeout\fR\fR
+.ad
+.sp .6
+.RS 4n
+Silently close the connection if a connection and \fBstdin\fR are idle for more
+than \fItimeout\fR seconds.
+.sp
+This option has no effect on the \fB-l\fR option, that is, \fBnc\fR listens
+forever for a connection, with or without the \fB-w\fR flag. The default is no
+timeout.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-X\fR \fIproxy_protocol\fR\fR
+.ad
+.sp .6
+.RS 4n
+Use the specified protocol when talking to the proxy server. Supported
+protocols are \fB4\fR (\fBSOCKS v.4\fR), \fB5\fR (\fBSOCKS v.5\fR) and
+\fBconnect\fR (\fBHTTP\fR proxy). If the protocol is not specified, \fBSOCKS v.
+5\fR is used.
+.sp
+It is an error to use this option in conjunction with the \fB-l\fR option.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-x\fR \fIproxy_address\fR[:\fIport\fR]\fR
+.ad
+.sp .6
+.RS 4n
+Request connection to \fIhostname\fR using a proxy at \fIproxy_address\fR and
+\fIport\fR. If \fIport\fR is not specified, the well-known port for the proxy
+protocol is used (\fB1080\fR for \fBSOCKS\fR, \fB3128\fR for \fBHTTP\fR).
+.sp
+It is an error to use this option in conjunction with the \fB-l\fR option.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fB-z\fR\fR
+.ad
+.sp .6
+.RS 4n
+Scan for listening daemons, without sending any data to them.
+.sp
+It is an error to use this option in conjunction with the \fB-l\fR option.
+.RE
+
+.SH OPERANDS
+.sp
+.LP
+The following operands are supported:
+.sp
+.ne 2
+.mk
+.na
+\fB\fIhostname\fR\fR
+.ad
+.RS 13n
+.rt
+Specify host name.
+.sp
+\fIhostname\fR can be a numerical IP address or a symbolic hostname (unless the
+\fB-n\fR option is specified).
+.sp
+In general, \fIhostname\fR must be specified, unless the \fB-l\fR option is
+given or \fB-U\fR is used (in which case the argument is a path). If
+\fIhostname\fR argument is specified with \fB-l\fR option then \fIport\fR
+argument must be given as well and \fBnc\fR tries to bind to that address and
+port. If \fIhostname\fR argument is not specified with \fB-l\fR option then
+\fBnc\fR tries to listen on a wildcard socket for given \fIport\fR.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIpath\fR\fR
+.ad
+.RS 13n
+.rt
+Specify pathname.
+.RE
+
+.sp
+.ne 2
+.mk
+.na
+\fB\fIport\fR\fR
+.ad
+.br
+.na
+\fB\fIport_list\fR\fR
+.ad
+.RS 13n
+.rt
+Specify port.
+.sp
+\fIport_list\fR can be specified as single integers, ranges or combinations of
+both. Specify ranges in the form of \fInn-mm\fR. The \fIport_list\fR must have
+at least one member, but can have multiple ports/ranges separated by commas.
+.sp
+In general, a destination port must be specified, unless the \fB-U\fR option is
+given, in which case a Unix Domain Socket path must be specified instead of
+\fIhostname\fR.
+.RE
+
+.SH USAGE
+.SS "Client/Server Model"
+.sp
+.LP
+It is quite simple to build a very basic client/server model using \fBnc\fR. On
+one console, start \fBnc\fR listening on a specific port for a connection. For
+example, the command:
+.sp
+.in +2
+.nf
+$ nc -l 1234
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+listens on port \fB1234\fR for a connection. On a second console (or a second
+machine), connect to the machine and port to which \fBnc\fR is listening:
+.sp
+.in +2
+.nf
+$ nc 127.0.0.1 1234
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+There should now be a connection between the ports. Anything typed at the
+second console is concatenated to the first, and vice-versa. After the
+connection has been set up, \fBnc\fR does not really care which side is being
+used as a \fBserver\fR and which side is being used as a \fBclient\fR. The
+connection can be terminated using an \fBEOF\fR (Ctrl/d).
+.SS "Data Transfer"
+.sp
+.LP
+The example in the previous section can be expanded to build a basic data
+transfer model. Any information input into one end of the connection is output
+to the other end, and input and output can be easily captured in order to
+emulate file transfer.
+.sp
+.LP
+Start by using \fBnc\fR to listen on a specific port, with output captured into
+a file:
+.sp
+.in +2
+.nf
+$ nc -l 1234 > filename.out
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+Using a second machine, connect to the listening \fBnc\fR process, feeding it
+the file which is to be transferred:
+.sp
+.in +2
+.nf
+$ nc host.example.com 1234 < filename.in
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+After the file has been transferred, the connection closes automatically.
+.SS "Talking to Servers"
+.sp
+.LP
+It is sometimes useful to talk to servers \fBby hand\fR rather than through a
+user interface. It can aid in troubleshooting, when it might be necessary to
+verify what data a server is sending in response to commands issued by the
+client.
+.sp
+.LP
+For example, to retrieve the home page of a web site:
+.sp
+.in +2
+.nf
+$ echo -n "GET / HTTP/1.0\er\en\er\en" | nc host.example.com 80
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+This also displays the headers sent by the web server. They can be filtered, if
+necessary, by using a tool such as \fBsed\fR(1).
+.sp
+.LP
+More complicated examples can be built up when the user knows the format of
+requests required by the server. As another example, an email can be submitted
+to an SMTP server using:
+.sp
+.in +2
+.nf
+$ nc localhost 25 << EOF
+HELO host.example.com
+MAIL FROM: <user@host.example.com
+RCTP TO: <user2@host.example.com
+DATA
+Body of email.
+\&.
+QUIT
+EOF
+.fi
+.in -2
+.sp
+
+.SS "Port Scanning"
+.sp
+.LP
+It can be useful to know which ports are open and running services on a target
+machine. The \fB-z\fR flag can be used to tell \fBnc\fR to report open ports,
+rather than to initiate a connection.
+.sp
+.LP
+In this example:
+.sp
+.in +2
+.nf
+$ nc -z host.example.com 20-30
+Connection to host.example.com 22 port [tcp/ssh] succeeded!
+Connection to host.example.com 25 port [tcp/smtp] succeeded!
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+The port range was specified to limit the search to ports 20 - 30.
+.sp
+.LP
+Alternatively, it might be useful to know which server software is running, and
+which versions. This information is often contained within the greeting
+banners. In order to retrieve these, it is necessary to first make a
+connection, and then break the connection when the banner has been retrieved.
+This can be accomplished by specifying a small timeout with the \fB-w\fR flag,
+or perhaps by issuing a \fBQUIT\fR command to the server:
+.sp
+.in +2
+.nf
+$ echo "QUIT" | nc host.example.com 20-30
+SSH-2.0-Sun_SSH_1.1
+Protocol mismatch.
+220 host.example.com IMS SMTP Receiver Version 0.84 Ready
+.fi
+.in -2
+.sp
+
+.SS "\fBinetd\fR Capabilities"
+.sp
+.LP
+One of the possible uses is to create simple services by using \fBinetd\fR(1M).
+.sp
+.LP
+The following example creates a redirect from TCP port 8080 to port 80 on host
+\fBrealwww\fR:
+.sp
+.in +2
+.nf
+# cat << EOF >> /etc/services
+wwwredir 8080/tcp # WWW redirect
+EOF
+# cat << EOF > /tmp/wwwredir.conf
+wwwredir stream tcp nowait nobody /usr/bin/nc /usr/bin/nc -w 3 realwww 80
+EOF
+# inetconv -i /tmp/wwwredir.conf
+wwwredir -> /var/svc/manifest/network/wwwredir-tcp.xml
+Importing wwwredir-tcp.xml ...Done
+# inetadm -l wwwredir/tcp
+SCOPE NAME=VALUE
+name="wwwredir"
+endpoint_type="stream"
+proto="tcp"
+isrpc=FALSE
+wait=FALSE
+exec="/usr/bin/nc -w 3 realwww 80"
+arg0="/usr/bin/nc"
+user="nobody"
+default bind_addr=""
+default bind_fail_max=-1
+default bind_fail_interval=-1
+default max_con_rate=-1
+default max_copies=-1
+default con_rate_offline=-1
+default failrate_cnt=40
+default failrate_interval=60
+default inherit_env=TRUE
+default tcp_trace=TRUE
+default tcp_wrappers=FALSE
+.fi
+.in -2
+.sp
+
+.SS "Privileges"
+.sp
+.LP
+To bind to a privileged port number \fBnc\fR needs to be granted the
+\fBnet_privaddr\fR privilege. If Solaris Trusted Extensions are configured and
+the port \fBnc\fR should listen on is configured as a multi-level port \fBnc\fR
+also needs the \fBnet_bindmlp\fR privilege.
+.sp
+.LP
+Privileges can be assigned to the user or role directly, by specifying them in
+the account's default privilege set in \fBuser_attr\fR(4). However, this means
+that any application that this user or role starts have these additional
+privileges. To only grant the \fBprivileges\fR(5) when \fBnc\fR is invoked, the
+recommended approach is to create and assign an \fBrbac\fR(5) rights profile.
+See \fBEXAMPLES\fR for additional information.
+.SH EXAMPLES
+.LP
+\fBExample 1 \fRUsing \fBnc\fR
+.sp
+.LP
+Open a TCP connection to port \fB42\fR of \fBhost.example.com\fR, using port
+\fB3141\fR as the source port, with a timeout of \fB5\fR seconds:
+
+.sp
+.in +2
+.nf
+$ nc -p 3141 -w 5 host.example.com 42
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+Open a UDP connection to port \fB53\fR of \fBhost.example.com\fR:
+
+.sp
+.in +2
+.nf
+$ nc -u host.example.com 53
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+Open a TCP connection to port 42 of \fBhost.example.com\fR using \fB10.1.2.3\fR
+as the IP for the local end of the connection:
+
+.sp
+.in +2
+.nf
+$ nc -s 10.1.2.3 host.example.com 42
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+Use a list of ports and port ranges for a port scan on various ports:
+
+.sp
+.in +2
+.nf
+$ nc -z host.example.com 21-25,53,80,110-120,443
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+Create and listen on a Unix Domain Socket:
+
+.sp
+.in +2
+.nf
+$ nc -lU /var/tmp/dsocket
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+Create and listen on a UDP socket with associated port \fB8888\fR:
+
+.sp
+.in +2
+.nf
+$ nc -u -l -p 8888
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+which is the same as:
+
+.sp
+.in +2
+.nf
+$ nc -u -l 8888
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+Create and listen on a TCP socket with associated port \fB2222\fR and bind to
+address \fB127.0.0.1\fR only:
+
+.sp
+.in +2
+.nf
+$ nc -l 127.0.0.1 2222
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+Connect to port \fB42\fR of \fBhost.example.com\fR using an HTTP proxy at
+\fB10.2.3.4\fR, port \fB8080\fR. This example could also be used by
+\fBssh\fR(1). See the \fBProxyCommand\fR directive in \fBssh_config\fR(4) for
+more information.
+
+.sp
+.in +2
+.nf
+$ nc -x10.2.3.4:8080 -Xconnect host.example.com 42
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+The same example again, this time enabling proxy authentication with username
+\fBruser\fR if the proxy requires it:
+
+.sp
+.in +2
+.nf
+$ nc -x10.2.3.4:8080 -Xconnect -Pruser host.example.com 42
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+To run \fBnc\fR with the smallest possible set of privileges as a user or role
+that has additional privileges (such as the default \fBroot\fR account) it can
+be invoked using \fBppriv\fR(1) as well. For example, limiting it to only run
+with the privilege to bind to a privileged port:
+
+.sp
+.in +2
+.nf
+$ ppriv -e -sA=basic,!file_link_any,!proc_exec,!proc_fork,\e
+!proc_info,!proc_session,net_privaddr nc -l 42
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+To allow a user or role to use only \fBnc\fR with the \fBnet_privaddr\fR
+privilege, a rights profile needs to be created:
+
+.sp
+.in +2
+.nf
+/etc/security/exec_attr
+Netcat privileged:solaris:cmd:::/usr/bin/nc:privs=net_privaddr
+
+/etc/security/prof_attr
+Netcat privileged:::Allow nc to bind to privileged ports:help=None.html
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+Assigning this rights profile using \fBuser_attr\fR(4) permits the user or role
+to run \fBnc\fR allowing it to listen on any port. To permit a user or role to
+use \fBnc\fR only to listen on specific ports a wrapper script should be
+specified in the rights profiles:
+
+.sp
+.in +2
+.nf
+/etc/security/exec_attr
+Netcat restricted:solaris:cmd:::/usr/bin/nc-restricted:privs=net_privaddr
+
+/etc/security/prof_attr
+Netcat restricted:::Allow nc to bind to privileged ports:help=None.html
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+and write a shell script that restricts the permissible options, for example,
+one that permits one to bind only on ports between \fB42\fR and \fB64\fR
+(non-inclusive):
+
+.sp
+.in +2
+.nf
+/usr/bin/nc-restricted:
+
+#!/bin/sh
+[ $# -eq 1 ] && [ $1 -gt 42 -a $1 -lt 64 ] && /usr/bin/nc -l -p "$1"
+.fi
+.in -2
+.sp
+
+.sp
+.LP
+This grants the extra privileges when the user or role invokes \fBnc\fR using
+the wrapper script from a profile shell. See \fBpfsh\fR(1), \fBpfksh\fR(1),
+\fBpfcsh\fR(1), and \fBpfexec\fR(1).
+
+.sp
+.LP
+Invoking \fBnc\fR directly does not run it with the additional privileges, and
+neither does invoking the script without using \fBpfexec\fR or a profile shell.
+
+.SH ATTRIBUTES
+.sp
+.LP
+See \fBattributes\fR(5) for descriptions of the following attributes:
+.sp
+
+.sp
+.TS
+tab() box;
+cw(2.75i) |cw(2.75i)
+lw(2.75i) |lw(2.75i)
+.
+ATTRIBUTE TYPEATTRIBUTE VALUE
+_
+Interface StabilitySee below.
+.TE
+
+.sp
+.LP
+The package name is Committed. The command line syntax is Committed for the
+\fB-4\fR, \fB-6,\fR \fB-l\fR, \fB-n\fR, \fB-p\fR ,\fB-u\fR, and \fB-w\fR
+options and their arguments (if any). The \fIname\fR and \fIport\fR list
+arguments are Committed. The port range syntax is Uncommitted. The interface
+stability level for all other command line options and their arguments is
+Uncommitted.
+.SH SEE ALSO
+.sp
+.LP
+\fBcat\fR(1), \fBpfcsh\fR(1), \fBpfexec\fR(1), \fBpfksh\fR(1), \fBpfsh\fR(1),
+\fBppriv\fR(1), \fBsed\fR(1), \fBssh\fR(1), \fBtelnet\fR(1), \fBinetadm\fR(1M),
+\fBinetconv\fR(1M), \fBinetd\fR(1M), \fBssh_config\fR(4), \fBuser_attr\fR(4),
+\fBattributes\fR(5), \fBprivileges\fR(5), \fBrbac\fR(5)
+.SH AUTHORS
+.sp
+.LP
+The original implementation of \fBnc\fR was written by Hobbit,
+\fBhobbit@avian.org\fR.
+.sp
+.LP
+\fBnc\fR was rewritten with IPv6 support by Eric Jackson,
+\fBericj@monkey.org\fR.
+.SH NOTES
+.sp
+.LP
+UDP port scans always succeeds, that is, reports the port as open, rendering
+the \fB-uz\fR combination of flags relatively useless.
generated by cgit v1.2.3 (git 2.46.0) at 2025-10-22 21:38:12 +0000