move location of per-user config files; beck ok

3 files changed, 22 insertions, 80 deletions

diff --git a/usr.sbin/authpf/authpf.8 b/usr.sbin/authpf/authpf.8
index 9cf5e73f42b..d2755114b72 100644
--- a/usr.sbin/authpf/authpf.8
+++ b/usr.sbin/authpf/authpf.8
@@ -1,4 +1,4 @@
-\" $OpenBSD: authpf.8,v 1.7 2002/04/05 03:06:52 beck Exp $
+.\" $OpenBSD: authpf.8,v 1.8 2002/04/05 20:35:52 deraadt Exp $
 .\"
 .\" Copyright (c) 2002 Bob Beck (beck@openbsd.org>.  All rights reserved.
 .\"
@@ -96,18 +96,18 @@ which is defined to the connecting ip address whenever
 is run.
 .Pp
 Filter and nat rules will be searched for first in
-.Pa $HOME/.authpf/
+.Pa /etc/authpf/users/$USER/
 and then in 
 .Pa /etc/authpf/ .
 Per-user rules from the   
-.Pa $HOME/.authpf/
+.Pa /etc/authpf/users/$USER/
 directory are intended to be used when non-default rules
 are needed on an individual user basis. It is important to ensure
 that a user can not write or change these configuration files in
 this case.
 .Pp
 Filter rules are loaded from the file
-.Pa $HOME/.authpf/authpf.rules .
+.Pa /etc/authpf/users/$USER/authpf.rules .
 If this file does not exist the file
 .Pa /etc/authpf/authpf.rules
 is used.
@@ -123,7 +123,7 @@ and be writable only to root or
 will not run.
 .Pp
 Translation rules are loaded from the file
-.Pa $HOME/.authpf/authpf.nat .
+.Pa /etc/authpf/users/$USER/authpf.nat .
 If this file does not exist the file
 .Pa /etc/authpf/authpf.nat
 is used.
@@ -175,7 +175,7 @@ authenticated to
 .Xr ssh 1
 and deny access to only a few troublesome individuals.
 This is done by creating a file with the banned user's login name in
-.Pa /var/authpf/banned .
+.Pa /etc/authpf/banned .
 The contents of this file will be displayed to a banned user, thus providing
 a method for informing the user that they have been banned, and where they can
 go and how to get there if they want to have their service restored.
@@ -247,7 +247,7 @@ as their shell, the regular users should be prevented from running
 by using the
 .Pa /etc/authpf/authpf.allow
 or
-.Pa /var/authpf/banned/
+.Pa /etc/authpf/banned/
 facilities.
 .Pp
 .Nm
@@ -272,16 +272,16 @@ Normally, as long as bob can authenticate himself, the
 .Nm
 program will load the appropriate rules.
 Enter the
-.Pa /var/authpf/banned/
+.Pa /etc/authpf/banned/
 directory.
 If bob has somehow fallen from grace in the eyes of the
 powers-that-be, they can prohibit him from using the gateway by creating
 the file
-.Pa /var/authpf/banned/bob
+.Pa /etc/authpf/banned/bob
 containing a message about why he has been banned from using the network.
 Once bob has done suitable pennance, his access may be restored by moving or
 removing the file
-.Pa /var/authpf/banned/bob.
+.Pa /etc/authpf/banned/bob.
 .Pp
 Now consider a workgroup containing alice, bob, carol and dave.
 They have a
@@ -296,7 +296,7 @@ Adding and removing users from
 the work group is a simple matter of maintaining a list of allowed userids.
 If bob once again manages to annoy the powers-that-be, they can ban him from
 using the gateway by creating the familiar
-.Pa /var/authpf/banned/bob
+.Pa /etc/authpf/banned/bob
 file.
 Though bob is listed in the allow file, he is prevented from using
 this gateway due to the existence of a ban file.
diff --git a/usr.sbin/authpf/authpf.c b/usr.sbin/authpf/authpf.c
index 6c8d0547d0a..999f1d7432a 100644
--- a/usr.sbin/authpf/authpf.c
+++ b/usr.sbin/authpf/authpf.c
@@ -1,3 +1,5 @@
+/*	$OpenBSD: authpf.c,v 1.7 2002/04/05 20:35:52 deraadt Exp $	*/
+
 /*
  * Copyright (C) 1998 - 2002 Bob Beck (beck@openbsd.org).
  *
@@ -92,7 +94,6 @@ static int	changefilter(int, char *, char *);
 static void	authpf_kill_states(void);
 static void	terminator(int s);
 static __dead void	go_away(void);
-static int	secure_fullpath(char *);
 
 /*
  * authpf:
@@ -299,10 +300,6 @@ read_config(void)
 	if (f == NULL) 
 		exit(1); /* exit silently if we have no config file */
 
-	if (secure_fullpath(configfile) != 0)
-		/* config file exists, but is not secure */
-		exit(1);
-
 	openlog("authpf", LOG_PID | LOG_NDELAY, LOG_DAEMON);
 	
 	do {
@@ -557,7 +554,6 @@ changefilter(int add, char *luser, char *ipsrc)
 	struct pfctl		pf;
 	int rcount, wcount;
 	FILE *fin = NULL;
-	char *cp;
 
 	memset (&pf, 0, sizeof(pf));
 	memset (&pr, 0, sizeof(pr));
@@ -591,12 +587,8 @@ changefilter(int add, char *luser, char *ipsrc)
 
 	fflush(fin);
 
-	if ((cp = getenv("HOME")) == NULL) {
-		syslog(LOG_ERR, "No Home Directory!");
-		goto error;
-	}
-	if (snprintf(rulesfile, sizeof rulesfile, "%s/.authpf/authpf.rules",
-	    cp) >= sizeof rulesfile) {
+	if (snprintf(rulesfile, sizeof rulesfile, "%s/%s/authpf.rules",
+	    PATH_USER_DIR, luser) >= sizeof rulesfile) {
 		syslog(LOG_ERR, "homedir path too long, exiting");
 		goto error;
 	}
@@ -619,10 +611,6 @@ changefilter(int add, char *luser, char *ipsrc)
 		}
 	}
 
-	if (secure_fullpath(rulesfile) != 0)
-		/* rules file exists, but is not secure */
-		goto error;
-	
 	while ((rcount = read(from_fd, buf, sizeof(buf))) > 0) {
 		wcount = write(tmpfile, buf, rcount);
 		if (rcount != wcount || wcount == -1) {
@@ -671,13 +659,8 @@ changefilter(int add, char *luser, char *ipsrc)
 		goto error;
 	}
 
-	/* now, for NAT, if we have some */
-	if ((cp = getenv("HOME")) == NULL) {
-		syslog(LOG_ERR, "No Home Directory!");
-		goto error;
-	}
-	if (snprintf(natfile, sizeof natfile, "%s/.authpf/authpf.nat", cp) >=
-	    sizeof natfile) {
+	if (snprintf(natfile, sizeof natfile, "%s/%s/authpf.nat",
+	    PATH_USER_DIR, luser) >= sizeof natfile) {
 		syslog(LOG_ERR, "homedir path too long, exiting");
 		goto error;
 	}
@@ -704,10 +687,7 @@ changefilter(int add, char *luser, char *ipsrc)
 			}
 		}
 	}
-	if (from_fd != -1 && secure_fullpath(natfile) != 0) 
-		/* nat file exists, but is not secure */
-		goto error;
-	
+
 	tmpfile = mkstemp(template2);
 	if (tmpfile == -1) {
 		syslog(LOG_ERR, "Can't open temp file %s (%m)",
@@ -855,47 +835,6 @@ go_away(void)
 }
 
 /*
- * secure_fullpath:
- * akin to secure_path, but for a directory - needed to ensure
- * users can't get something they aren't supposed to by moveing
- * files aside or linking other directories, such as the default
- * one.
- */
-static int
-secure_fullpath(char *path)
-{
-	struct stat sb;
-	char *cp;
-
-	if (secure_path(path) < 0)
-		return(-1);
-
-	cp = path;
-
-	do {
-		cp = dirname(cp);
-		memset(&sb, 0, sizeof(sb)); 
-		/*
-		 * if it's owned or writable by someone
-		 * other than root, it's bad. since these are directories,
-		 * not the end path, they are allowed to be symbolic links
-		 * and other such things (unlike the file itself). 
-		 */
-		if (lstat(cp, &sb) < 0) {
-			syslog(LOG_ERR, "cannot stat %s: %m", cp);
-			return (-1);
-		} else if (sb.st_uid != 0) {
-			syslog(LOG_ERR, "%s: not owned by root", cp);
-			return (-1);
-		} else if (sb.st_mode & (S_IWGRP | S_IWOTH)) {
-			syslog(LOG_ERR, "%s: writeable by non-root", cp);
-			return (-1);
-		}
-	} while (strlen(cp) > 1);
-        return (0);
-}
-
-/*
  * pfctl_add_rules:
  * callback for rule add, used by parser in parse_rules
  */
diff --git a/usr.sbin/authpf/pathnames.h b/usr.sbin/authpf/pathnames.h
index 719c0850f86..adc7a687046 100644
--- a/usr.sbin/authpf/pathnames.h
+++ b/usr.sbin/authpf/pathnames.h
@@ -1,3 +1,5 @@
+/*	$OpenBSD: pathnames.h,v 1.2 2002/04/05 20:35:52 deraadt Exp $	*/
+
 /*
  * Copyright (C) 2002 Chris Kuethe (ckuethe@ualberta.ca)
  *
@@ -32,7 +34,8 @@
 #define PATH_NATRULES	"/etc/authpf/authpf.nat"
 #define PATH_PROBLEM	"/etc/authpf/authpf.problem"
 #define PATH_MESSAGE	"/etc/authpf/authpf.message"
-#define PATH_BAN_DIR	"/var/authpf/banned"
+#define PATH_USER_DIR	"/etc/authpf/users"
+#define PATH_BAN_DIR	"/etc/authpf/banned"
 #define PATH_DEVFILE	"/dev/pf"
 #define PATH_PIDFILE	"/var/run/authpf"
 #define PATH_USERFILE	"/var/authpf"