From owner-freebsd-bugs@FreeBSD.ORG Fri Oct 19 22:50:01 2012 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6622970B for ; Fri, 19 Oct 2012 22:50:01 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.FreeBSD.org [8.8.178.135]) by mx1.freebsd.org (Postfix) with ESMTP id 3C9C18FC0A for ; Fri, 19 Oct 2012 22:50:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q9JMo1gg058855 for ; Fri, 19 Oct 2012 22:50:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q9JMo127058854; Fri, 19 Oct 2012 22:50:01 GMT (envelope-from gnats) Resent-Date: Fri, 19 Oct 2012 22:50:01 GMT Resent-Message-Id: <201210192250.q9JMo127058854@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Frank Timmers Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6C35D709 for ; Fri, 19 Oct 2012 22:49:21 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id 4A4758FC0C for ; Fri, 19 Oct 2012 22:49:21 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.5/8.14.5) with ESMTP id q9JMnKEv008935 for ; Fri, 19 Oct 2012 22:49:20 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.5/8.14.5/Submit) id q9JMnK4V008931; Fri, 19 Oct 2012 22:49:20 GMT (envelope-from nobody) Message-Id: <201210192249.q9JMnK4V008931@red.freebsd.org> Date: Fri, 19 Oct 2012 22:49:20 GMT From: Frank Timmers To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Subject: bin/172888: authpf feature enhancement X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Oct 2012 22:50:01 -0000 >Number: 172888 >Category: bin >Synopsis: authpf feature enhancement >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Oct 19 22:50:00 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Frank Timmers >Release: FreeBSD 9.0-RELEASE >Organization: Lion-X >Environment: FreeBSD fbsdtest 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:15:25 UTC 2012 root@obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386 >Description: the current version of authpf allows you to load pf rules based on the connecting user. This patch adds the possibility to load pf rules based on (primary) group membership without breaking the original functionality and behavior. >How-To-Repeat: user pf rules are in /etc/authpf/users/$USER This patch will first look in the directory above, then in /etc/authpf/groups/$GROUP >Fix: apply attached patch Patch attached with submission follows: diff -up contrib/pf/authpf.orig/authpf.8 contrib/pf/authpf/authpf.8 --- contrib/pf/authpf.orig/authpf.8 2012-01-03 04:24:44.000000000 +0100 +++ contrib/pf/authpf/authpf.8 2012-10-20 00:42:15.000000000 +0200 @@ -139,14 +139,20 @@ Filter and translation rules are stored .Pa authpf.rules . This file will first be searched for in .Pa /etc/authpf/users/$USER/ -and then in +, then in +.Pa /etc/authpf/groups/$GROUP/ +and finally in .Pa /etc/authpf/ . -Only one of these files will be used if both are present. +Only the the first found file will be used. .Pp Per-user rules from the .Pa /etc/authpf/users/$USER/ directory are intended to be used when non-default rules are needed on an individual user basis. +Per-group rules from the +.Pa /etc/authpf/groups/$GROUP/ +directory are intended to be used when non-default rules +are needed on a group basis. It is important to ensure that a user can not write or change these configuration files. .Pp diff -up contrib/pf/authpf.orig/authpf.c contrib/pf/authpf/authpf.c --- contrib/pf/authpf.orig/authpf.c 2012-01-03 04:24:44.000000000 +0100 +++ contrib/pf/authpf/authpf.c 2012-10-20 00:44:58.000000000 +0200 @@ -758,6 +758,12 @@ change_filter(int add, const char *l_use if (add) { struct stat sb; + struct group *grent; + if((grent = getgrgid(getgid())) == NULL) { + syslog(LOG_ERR, "group id %d for user %s is ot found in groupfile!", + getgid(), luser); + } + char *pargv[13] = { "pfctl", "-p", "/dev/pf", "-q", "-a", "anchor/ruleset", "-D", "user_id=X", "-D", "user_ip=X", "-f", "file", NULL @@ -781,8 +787,12 @@ change_filter(int add, const char *l_use goto no_mem; if (stat(fn, &sb) == -1) { free(fn); - if ((fn = strdup(PATH_PFRULES)) == NULL) + if(asprintf(&fn, "%s/%s/authpf.rules", PATH_GROUP_DIR, grent->gr_name) == -1) goto no_mem; + if(stat(fn, &sb) == -1) { + if ((fn = strdup(PATH_PFRULES)) == NULL) + goto no_mem; + } } pargv[2] = fdpath; pargv[5] = rsn; diff -up contrib/pf/authpf.orig/pathnames.h contrib/pf/authpf/pathnames.h --- contrib/pf/authpf.orig/pathnames.h 2012-01-03 04:24:44.000000000 +0100 +++ contrib/pf/authpf/pathnames.h 2012-10-20 00:42:15.000000000 +0200 @@ -31,6 +31,7 @@ #define PATH_PROBLEM "/etc/authpf/authpf.problem" #define PATH_MESSAGE "/etc/authpf/authpf.message" #define PATH_USER_DIR "/etc/authpf/users" +#define PATH_GROUP_DIR "/etc/authpf/groups" #define PATH_BAN_DIR "/etc/authpf/banned" #define PATH_DEVFILE "/dev/pf" #define PATH_PIDFILE "/var/authpf" >Release-Note: >Audit-Trail: >Unformatted: