Date: Mon, 16 Nov 2020 10:45:17 -0600 From: Matthew Grooms <mgrooms@shrew.net> To: freebsd-pf@freebsd.org Subject: Running authpf on modern FreeBSD Message-ID: <2f83fcb3-3aa4-96d4-3254-31c67fa2e8fd@shrew.net>
next in thread | raw e-mail | index | archive | help
Hi Everyone,
Is authpf supported on freebsd these days? It's included in the base
distribution, so I'd assume so. I tried to follow the man page and some
older howto's online, but didn't have much luck. It would appear that
the binary is installed with the setuid bit set in the filesystem ...
# ls -la /usr/sbin/authpf
-r-sr-sr-x 2 root authpf 24424 Sep 26 2019 /usr/sbin/authpf
... As far as I can tell, support for that isn't enabled in the generic
kernel as enabling the feature on the mount command doesn't show setuid
as an enabled option ...
# mount
/dev/gpt/rootfs on / (ufs, local, soft-updates)
There's no mention of this requirement in the authpf man page, but there
is a reference to mount(8) in the chmod(2) man page. The mount man page
suggests a custom kernel may be required for the suiddir option, but
it's not clear if that's required for suid operation. Pretty confusing.
When I try to test the authpf binary directly under truss, it hits a
bunch of errors that would suggest it needs root permissions. I can hack
around some of them, but eventually get stuck on ...
$ truss -s128 /usr/sbin/authpf
...
socket(PF_LOCAL,SOCK_DGRAM|SOCK_CLOEXEC,0) = 6 (0x6)
connect(6,{ AF_UNIX "/var/run/logpriv" },106) ERR#13 'Permission denied'
connect(6,{ AF_UNIX "/var/run/log" },106) = 0 (0x0)
sendto(6,"<14>Nov 16 10:24:01 authpf: setgroups: Operation not
permitted",62,0,NULL,0) = 62 (0x3e)
The setgroups(2) man page states that "Only the super-user may set a new
group list". Any suggestions?
Thanks,
-Matthew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2f83fcb3-3aa4-96d4-3254-31c67fa2e8fd>