Date: Fri, 19 Oct 2012 22:49:20 GMT From: Frank Timmers <frank@smurfnet.eu> To: freebsd-gnats-submit@FreeBSD.org Subject: bin/172888: authpf feature enhancement Message-ID: <201210192249.q9JMnK4V008931@red.freebsd.org> Resent-Message-ID: <201210192250.q9JMo127058854@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 172888
>Category: bin
>Synopsis: authpf feature enhancement
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Oct 19 22:50:00 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Frank Timmers
>Release: FreeBSD 9.0-RELEASE
>Organization:
Lion-X
>Environment:
FreeBSD fbsdtest 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:15:25 UTC 2012 root@obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
the current version of authpf allows you to load pf rules based on the connecting user. This patch adds the possibility to load pf rules based on (primary) group membership without breaking the original functionality and behavior.
>How-To-Repeat:
user pf rules are in /etc/authpf/users/$USER
This patch will first look in the directory above, then in /etc/authpf/groups/$GROUP
>Fix:
apply attached patch
Patch attached with submission follows:
diff -up contrib/pf/authpf.orig/authpf.8 contrib/pf/authpf/authpf.8
--- contrib/pf/authpf.orig/authpf.8 2012-01-03 04:24:44.000000000 +0100
+++ contrib/pf/authpf/authpf.8 2012-10-20 00:42:15.000000000 +0200
@@ -139,14 +139,20 @@ Filter and translation rules are stored
.Pa authpf.rules .
This file will first be searched for in
.Pa /etc/authpf/users/$USER/
-and then in
+, then in
+.Pa /etc/authpf/groups/$GROUP/
+and finally in
.Pa /etc/authpf/ .
-Only one of these files will be used if both are present.
+Only the the first found file will be used.
.Pp
Per-user rules from the
.Pa /etc/authpf/users/$USER/
directory are intended to be used when non-default rules
are needed on an individual user basis.
+Per-group rules from the
+.Pa /etc/authpf/groups/$GROUP/
+directory are intended to be used when non-default rules
+are needed on a group basis.
It is important to ensure that a user can not write or change
these configuration files.
.Pp
diff -up contrib/pf/authpf.orig/authpf.c contrib/pf/authpf/authpf.c
--- contrib/pf/authpf.orig/authpf.c 2012-01-03 04:24:44.000000000 +0100
+++ contrib/pf/authpf/authpf.c 2012-10-20 00:44:58.000000000 +0200
@@ -758,6 +758,12 @@ change_filter(int add, const char *l_use
if (add) {
struct stat sb;
+ struct group *grent;
+ if((grent = getgrgid(getgid())) == NULL) {
+ syslog(LOG_ERR, "group id %d for user %s is ot found in groupfile!",
+ getgid(), luser);
+ }
+
char *pargv[13] = {
"pfctl", "-p", "/dev/pf", "-q", "-a", "anchor/ruleset",
"-D", "user_id=X", "-D", "user_ip=X", "-f", "file", NULL
@@ -781,8 +787,12 @@ change_filter(int add, const char *l_use
goto no_mem;
if (stat(fn, &sb) == -1) {
free(fn);
- if ((fn = strdup(PATH_PFRULES)) == NULL)
+ if(asprintf(&fn, "%s/%s/authpf.rules", PATH_GROUP_DIR, grent->gr_name) == -1)
goto no_mem;
+ if(stat(fn, &sb) == -1) {
+ if ((fn = strdup(PATH_PFRULES)) == NULL)
+ goto no_mem;
+ }
}
pargv[2] = fdpath;
pargv[5] = rsn;
diff -up contrib/pf/authpf.orig/pathnames.h contrib/pf/authpf/pathnames.h
--- contrib/pf/authpf.orig/pathnames.h 2012-01-03 04:24:44.000000000 +0100
+++ contrib/pf/authpf/pathnames.h 2012-10-20 00:42:15.000000000 +0200
@@ -31,6 +31,7 @@
#define PATH_PROBLEM "/etc/authpf/authpf.problem"
#define PATH_MESSAGE "/etc/authpf/authpf.message"
#define PATH_USER_DIR "/etc/authpf/users"
+#define PATH_GROUP_DIR "/etc/authpf/groups"
#define PATH_BAN_DIR "/etc/authpf/banned"
#define PATH_DEVFILE "/dev/pf"
#define PATH_PIDFILE "/var/authpf"
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201210192249.q9JMnK4V008931>