diff options
| author | Bob Beck <beck@cvs.openbsd.org> | 2002-04-05 03:06:53 +0000 |
|---|---|---|
| committer | Bob Beck <beck@cvs.openbsd.org> | 2002-04-05 03:06:53 +0000 |
| commit | 55c75a1311d9386b131974caea14fc2339b1015c (patch) | |
| tree | ed1790241a4ece260a531758a79740600f8b70cb /usr.sbin/authpf/authpf.8 | |
| parent | 8323310612d467ed0dda318f51a12143efb34599 (diff) | |
ensure that rules files are owned and writable only by root,
along their entire path, change docs accordingly. This ensures
that people don't accidentally use the $HOME config files to
override real settings unless root meant to do it.
Diffstat (limited to 'usr.sbin/authpf/authpf.8')
| -rw-r--r-- | usr.sbin/authpf/authpf.8 | 34 |
1 files changed, 26 insertions, 8 deletions
diff --git a/usr.sbin/authpf/authpf.8 b/usr.sbin/authpf/authpf.8 index d57e0418a52..9cf5e73f42b 100644 --- a/usr.sbin/authpf/authpf.8 +++ b/usr.sbin/authpf/authpf.8 @@ -1,4 +1,4 @@ -\" $OpenBSD: authpf.8,v 1.6 2002/04/02 17:29:47 mpech Exp $ +\" $OpenBSD: authpf.8,v 1.7 2002/04/05 03:06:52 beck Exp $ .\" .\" Copyright (c) 2002 Bob Beck (beck@openbsd.org>. All rights reserved. .\" @@ -95,6 +95,17 @@ which is defined to the connecting ip address whenever .Nm is run. .Pp +Filter and nat rules will be searched for first in +.Pa $HOME/.authpf/ +and then in +.Pa /etc/authpf/ . +Per-user rules from the +.Pa $HOME/.authpf/ +directory are intended to be used when non-default rules +are needed on an individual user basis. It is important to ensure +that a user can not write or change these configuration files in +this case. +.Pp Filter rules are loaded from the file .Pa $HOME/.authpf/authpf.rules . If this file does not exist the file @@ -102,13 +113,14 @@ If this file does not exist the file is used. The .Pa authpf.rules -file must exist in either the user's -.Pa $HOME/.authpf/ -directory, or in -.Pa /etc/authpf , -for +file must exist in one of the above locations for .Nm -to run. +to run. Additionally, all directories on the path to the +.Pa authpf.rules +file as well as the file itself must be owned by root +and be writable only to root or +.Nm +will not run. .Pp Translation rules are loaded from the file .Pa $HOME/.authpf/authpf.nat . @@ -117,7 +129,13 @@ If this file does not exist the file is used. The use of translation rules in an .Pa authpf.nat -file is optional. +file is optional, but if an +.Pa authpf.nat +file exists in either of the above locations, all directories on the path, +as well as the file itself must be +owned by root and be writable only to root or +.Nm +will not run .Sh CONFIGURATION Options are controlled by the .Pa /etc/authpf/authpf.conf |