diff options
| author | Bob Beck <beck@cvs.openbsd.org> | 2013-01-15 23:03:38 +0000 |
|---|---|---|
| committer | Bob Beck <beck@cvs.openbsd.org> | 2013-01-15 23:03:38 +0000 |
| commit | efcb76c8cd4fb9e2c4dfde21d5eb4aa07c167b08 (patch) | |
| tree | ae569a131dd4792529bcffc999514784be1101e2 /usr.sbin/authpf | |
| parent | 4d2f391f1c4876d63c3abe30c855b8f431a82b96 (diff) | |
Per group support for authpf rules files in /etc/authpf/groups.
largely by Frank Timmers <frankt@smurfnet.eu> with fixups by me
and jmc@.
Diffstat (limited to 'usr.sbin/authpf')
| -rw-r--r-- | usr.sbin/authpf/authpf.8 | 16 | ||||
| -rw-r--r-- | usr.sbin/authpf/authpf.c | 16 | ||||
| -rw-r--r-- | usr.sbin/authpf/pathnames.h | 3 |
3 files changed, 27 insertions, 8 deletions
diff --git a/usr.sbin/authpf/authpf.8 b/usr.sbin/authpf/authpf.8 index 60cf58312cc..51dbe704d18 100644 --- a/usr.sbin/authpf/authpf.8 +++ b/usr.sbin/authpf/authpf.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: authpf.8,v 1.52 2010/01/27 21:36:58 jmc Exp $ +.\" $OpenBSD: authpf.8,v 1.53 2013/01/15 23:03:37 beck Exp $ .\" .\" Copyright (c) 1998-2007 Bob Beck (beck@openbsd.org>. All rights reserved. .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: January 27 2010 $ +.Dd $Mdocdate: January 15 2013 $ .Dt AUTHPF 8 .Os .Sh NAME @@ -133,15 +133,21 @@ is assigned the user name. Rules are stored in a file called .Pa authpf.rules . This file will first be searched for in -.Pa /etc/authpf/users/$USER/ -and then in +.Pa /etc/authpf/users/$USER/ , +then in +.Pa /etc/authpf/groups/$GROUP/ +and finally in .Pa /etc/authpf/ . -Only one of these files will be used if both are present. +Only the first found file will be used. .Pp Per-user rules from the .Pa /etc/authpf/users/$USER/ directory are intended to be used when non-default rules are needed on an individual user basis. +Per-group rules from the +.Pa /etc/authpf/groups/$GROUP/ +directory are intended to be used when non-default rules +are needed on a group basis. It is important to ensure that a user can not write or change these configuration files. .Pp diff --git a/usr.sbin/authpf/authpf.c b/usr.sbin/authpf/authpf.c index 985563b7a02..b3be00fe0e0 100644 --- a/usr.sbin/authpf/authpf.c +++ b/usr.sbin/authpf/authpf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authpf.c,v 1.116 2012/07/07 12:55:29 claudio Exp $ */ +/* $OpenBSD: authpf.c,v 1.117 2013/01/15 23:03:37 beck Exp $ */ /* * Copyright (C) 1998 - 2007 Bob Beck (beck@openbsd.org). @@ -748,6 +748,12 @@ change_filter(int add, const char *luser, const char *ipsrc) if (add) { struct stat sb; + struct group *grent; + if((grent = getgrgid(getgid())) == NULL) { + syslog(LOG_ERR, "Group not found user %s, gid %d", + luser, getgid()); + } + char *pargv[13] = { "pfctl", "-p", "/dev/pf", "-q", "-a", "anchor/ruleset", "-D", "user_id=X", "-D", "user_ip=X", "-f", "file", NULL @@ -771,8 +777,14 @@ change_filter(int add, const char *luser, const char *ipsrc) goto no_mem; if (stat(fn, &sb) == -1) { free(fn); - if ((fn = strdup(PATH_PFRULES)) == NULL) + if(asprintf(&fn, "%s/%s/authpf.rules", PATH_GROUP_DIR, + grent->gr_name) == -1) goto no_mem; + if(stat(fn, &sb) == -1) { + free(fn); + if ((fn = strdup(PATH_PFRULES)) == NULL) + goto no_mem; + } } pargv[2] = fdpath; pargv[5] = rsn; diff --git a/usr.sbin/authpf/pathnames.h b/usr.sbin/authpf/pathnames.h index e02cf77c9fe..e663d8b6704 100644 --- a/usr.sbin/authpf/pathnames.h +++ b/usr.sbin/authpf/pathnames.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pathnames.h,v 1.8 2008/02/14 01:49:17 mcbride Exp $ */ +/* $OpenBSD: pathnames.h,v 1.9 2013/01/15 23:03:37 beck Exp $ */ /* * Copyright (C) 2002 Chris Kuethe (ckuethe@ualberta.ca) @@ -31,6 +31,7 @@ #define PATH_PROBLEM "/etc/authpf/authpf.problem" #define PATH_MESSAGE "/etc/authpf/authpf.message" #define PATH_USER_DIR "/etc/authpf/users" +#define PATH_GROUP_DIR "/etc/authpf/groups" #define PATH_BAN_DIR "/etc/authpf/banned" #define PATH_DEVFILE "/dev/pf" #define PATH_PIDFILE "/var/authpf" |