Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 16 Nov 2020 10:45:17 -0600
From:      Matthew Grooms <mgrooms@shrew.net>
To:        freebsd-pf@freebsd.org
Subject:   Running authpf on modern FreeBSD
Message-ID:  <2f83fcb3-3aa4-96d4-3254-31c67fa2e8fd@shrew.net>

next in thread | raw e-mail | index | archive | help
Hi Everyone,

Is authpf supported on freebsd these days? It's included in the base 
distribution, so I'd assume so. I tried to follow the man page and some 
older howto's online, but didn't have much luck. It would appear that 
the binary is installed with the setuid bit set in the filesystem ...

# ls -la /usr/sbin/authpf
-r-sr-sr-x  2 root  authpf  24424 Sep 26  2019 /usr/sbin/authpf

... As far as I can tell, support for that isn't enabled in the generic 
kernel as enabling the feature on the mount command doesn't show setuid 
as an enabled option ...

# mount
/dev/gpt/rootfs on / (ufs, local, soft-updates)

There's no mention of this requirement in the authpf man page, but there 
is a reference to mount(8) in the chmod(2) man page. The mount man page 
suggests a custom kernel may be required for the suiddir option, but 
it's not clear if that's required for suid operation. Pretty confusing.

When I try to test the authpf binary directly under truss, it hits a 
bunch of errors that would suggest it needs root permissions. I can hack 
around some of them, but eventually get stuck on ...

$ truss -s128 /usr/sbin/authpf
...
socket(PF_LOCAL,SOCK_DGRAM|SOCK_CLOEXEC,0)       = 6 (0x6)
connect(6,{ AF_UNIX "/var/run/logpriv" },106)    ERR#13 'Permission denied'
connect(6,{ AF_UNIX "/var/run/log" },106)        = 0 (0x0)
sendto(6,"<14>Nov 16 10:24:01 authpf: setgroups: Operation not 
permitted",62,0,NULL,0) = 62 (0x3e)

The setgroups(2) man page states that "Only the super-user may set a new 
group list". Any suggestions?

Thanks,

-Matthew




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2f83fcb3-3aa4-96d4-3254-31c67fa2e8fd>