From owner-freebsd-pf@freebsd.org Mon Nov 16 16:45:23 2020 Return-Path: Delivered-To: freebsd-pf@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 50CF946B071 for ; Mon, 16 Nov 2020 16:45:23 +0000 (UTC) (envelope-from mgrooms@shrew.net) Received: from mx1.shrew.net (mx1.shrew.net [38.97.5.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4CZZgk2WzVz3qMJ for ; Mon, 16 Nov 2020 16:45:22 +0000 (UTC) (envelope-from mgrooms@shrew.net) Received: from mail.shrew.net (mail.shrew.prv [10.24.10.20]) by mx1.shrew.net (8.15.2/8.15.2) with ESMTP id 0AGGjLDj077068 for ; Mon, 16 Nov 2020 10:45:21 -0600 (CST) (envelope-from mgrooms@shrew.net) Received: from [10.22.200.30] (unknown [136.49.68.36]) by mail.shrew.net (Postfix) with ESMTPSA id 6EB4C19980B for ; Mon, 16 Nov 2020 10:45:16 -0600 (CST) To: freebsd-pf@freebsd.org From: Matthew Grooms Subject: Running authpf on modern FreeBSD Message-ID: <2f83fcb3-3aa4-96d4-3254-31c67fa2e8fd@shrew.net> Date: Mon, 16 Nov 2020 10:45:17 -0600 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.12.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (mx1.shrew.net [10.24.10.10]); Mon, 16 Nov 2020 10:45:21 -0600 (CST) X-Rspamd-Queue-Id: 4CZZgk2WzVz3qMJ X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mgrooms@shrew.net designates 38.97.5.131 as permitted sender) smtp.mailfrom=mgrooms@shrew.net X-Spamd-Result: default: False [-3.30 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RBL_DBL_DONT_QUERY_IPS(0.00)[38.97.5.131:from]; R_SPF_ALLOW(-0.20)[+mx:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; SPAMHAUS_ZRD(0.00)[38.97.5.131:from:127.0.2.255]; RCVD_COUNT_THREE(0.00)[3]; DMARC_NA(0.00)[shrew.net]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.999]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:174, ipnet:38.0.0.0/8, country:US]; RCVD_TLS_LAST(0.00)[]; MAILMAN_DEST(0.00)[freebsd-pf]; RECEIVED_SPAMHAUS_PBL(0.00)[136.49.68.36:received] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Nov 2020 16:45:23 -0000 Hi Everyone, Is authpf supported on freebsd these days? It's included in the base distribution, so I'd assume so. I tried to follow the man page and some older howto's online, but didn't have much luck. It would appear that the binary is installed with the setuid bit set in the filesystem ... # ls -la /usr/sbin/authpf -r-sr-sr-x  2 root  authpf  24424 Sep 26  2019 /usr/sbin/authpf ... As far as I can tell, support for that isn't enabled in the generic kernel as enabling the feature on the mount command doesn't show setuid as an enabled option ... # mount /dev/gpt/rootfs on / (ufs, local, soft-updates) There's no mention of this requirement in the authpf man page, but there is a reference to mount(8) in the chmod(2) man page. The mount man page suggests a custom kernel may be required for the suiddir option, but it's not clear if that's required for suid operation. Pretty confusing. When I try to test the authpf binary directly under truss, it hits a bunch of errors that would suggest it needs root permissions. I can hack around some of them, but eventually get stuck on ... $ truss -s128 /usr/sbin/authpf ... socket(PF_LOCAL,SOCK_DGRAM|SOCK_CLOEXEC,0)       = 6 (0x6) connect(6,{ AF_UNIX "/var/run/logpriv" },106)    ERR#13 'Permission denied' connect(6,{ AF_UNIX "/var/run/log" },106)        = 0 (0x0) sendto(6,"<14>Nov 16 10:24:01 authpf: setgroups: Operation not permitted",62,0,NULL,0) = 62 (0x3e) The setgroups(2) man page states that "Only the super-user may set a new group list". Any suggestions? Thanks, -Matthew