diff options
| author |   mcbride <mcbride@openbsd.org> | 2009-01-06 03:11:50 +0000 |
|---|---|---|
| committer | mcbride <mcbride@openbsd.org> | 2009-01-06 03:11:50 +0000 |
| commit | 7940323a0cfd377659045c36ad4007ec72236846 (patch) | |
| tree | 9f9c1b4e12704fcef960970fd5492b3df0d0cccb /usr.sbin/authpf | |
| parent | Restrict FIFO depth to 1 byte on m4k/m5k/m8k/m9k. Hopefully this prevents (diff) | |
| download | wireguard-openbsd-7940323a0cfd377659045c36ad4007ec72236846.tar.xz wireguard-openbsd-7940323a0cfd377659045c36ad4007ec72236846.zip | |
Support group and login class in authpf.allow (%<group>, @<class>)
ok beck
Diffstat (limited to 'usr.sbin/authpf')
| -rw-r--r-- | usr.sbin/authpf/authpf.8 | 10 | ||||
| -rw-r--r-- | usr.sbin/authpf/authpf.c | 53 |
2 files changed, 53 insertions, 10 deletions
diff --git a/usr.sbin/authpf/authpf.8 b/usr.sbin/authpf/authpf.8 index ef1c5141f4b..b881e291169 100644 --- a/usr.sbin/authpf/authpf.8 +++ b/usr.sbin/authpf/authpf.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: authpf.8,v 1.46 2008/03/18 23:03:14 merdely Exp $ +.\" $OpenBSD: authpf.8,v 1.47 2009/01/06 03:11:50 mcbride Exp $ .\" .\" Copyright (c) 1998-2007 Bob Beck (beck@openbsd.org>. All rights reserved. .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: March 18 2008 $ +.Dd $Mdocdate: January 6 2009 $ .Dt AUTHPF 8 .Os .Sh NAME @@ -202,6 +202,9 @@ It is also possible to configure to only allow specific users access. This is done by listing their login names, one per line, in .Pa /etc/authpf/authpf.allow . +A group of users can also be indicated by prepending "%" to the group name, +and all members of a login class can be indicated by prepending "@" to the +login class name. If "*" is found on a line, then all usernames match. If .Nm @@ -314,7 +317,8 @@ They have a wireless network which they would like to protect from unauthorized use. To accomplish this, they create the file .Pa /etc/authpf/authpf.allow -which lists their login ids, one per line. +which lists their login ids, group prepended with "%", or login class +prepended with "@", one per line. At this point, even if eve could authenticate to .Xr sshd 8 , she would not be allowed to use the gateway. diff --git a/usr.sbin/authpf/authpf.c b/usr.sbin/authpf/authpf.c index e2f4b5019fa..e95505ab70f 100644 --- a/usr.sbin/authpf/authpf.c +++ b/usr.sbin/authpf/authpf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authpf.c,v 1.109 2008/10/07 17:27:17 deraadt Exp $ */ +/* $OpenBSD: authpf.c,v 1.110 2009/01/06 03:11:50 mcbride Exp $ */ /* * Copyright (C) 1998 - 2007 Bob Beck (beck@openbsd.org). @@ -32,6 +32,7 @@ #include <errno.h> #include <login_cap.h> #include <pwd.h> +#include <grp.h> #include <signal.h> #include <stdio.h> #include <stdlib.h> @@ -43,7 +44,7 @@ static int read_config(FILE *); static void print_message(char *); -static int allowed_luser(char *); +static int allowed_luser(struct passwd *); static int check_luser(char *, char *); static int remove_stale_rulesets(void); static int recursive_ruleset_purge(char *, char *); @@ -287,7 +288,7 @@ main(int argc, char *argv[]) } openlog("authpf", LOG_PID | LOG_NDELAY, LOG_DAEMON); - if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(luser)) { + if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(pw)) { syslog(LOG_INFO, "user %s prohibited", luser); do_death(0); } @@ -439,6 +440,7 @@ print_message(char *filename) * allowed_luser checks to see if user "luser" is allowed to * use this gateway by virtue of being listed in an allowed * users file, namely /etc/authpf/authpf.allow . + * Users may be listed by <username>, %<group>, or @<login_class>. * * If /etc/authpf/authpf.allow does not exist, then we assume that * all users who are allowed in by sshd(8) are permitted to @@ -447,7 +449,7 @@ print_message(char *filename) * the session terminates in the same manner as being banned. */ static int -allowed_luser(char *luser) +allowed_luser(struct passwd *pw) { char *buf, *lbuf; int matched; @@ -480,7 +482,11 @@ allowed_luser(char *luser) * everyone use it. */ lbuf = NULL; + int gl_init = 0, ngroups = NGROUPS + 1; + gid_t groups[NGROUPS + 1]; + while ((buf = fgetln(f, &len))) { + if (buf[len - 1] == '\n') buf[len - 1] = '\0'; else { @@ -491,7 +497,40 @@ allowed_luser(char *luser) buf = lbuf; } - matched = strcmp(luser, buf) == 0 || strcmp("*", buf) == 0; + if (buf[0] == '@') { + /* check login class */ + if (strcmp(pw->pw_class, buf + 1) == 0) + matched++; + } else if (buf[0] == '%') { + /* check group membership */ + int cnt; + struct group *group; + + if ((group = getgrnam(buf + 1)) == NULL) { + syslog(LOG_ERR, + "invalid group '%s' in %s (%s)", + buf + 1, PATH_ALLOWFILE, + strerror(errno)); + return (0); + } + + if (!gl_init) { + (void) getgrouplist(pw->pw_name, + pw->pw_gid, groups, &ngroups); + gl_init++; + } + + for ( cnt = 0; cnt < ngroups; cnt++) { + if (group->gr_gid == groups[cnt]) { + matched++; + break; + } + } + } else { + /* check username and wildcard */ + matched = strcmp(pw->pw_name, buf) == 0 || + strcmp("*", buf) == 0; + } if (lbuf != NULL) { free(lbuf); @@ -499,10 +538,10 @@ allowed_luser(char *luser) } if (matched) - return (1); /* matched an allowed username */ + return (1); /* matched an allowed user/group */ } syslog(LOG_INFO, "denied access to %s: not listed in %s", - luser, PATH_ALLOWFILE); + pw->pw_name, PATH_ALLOWFILE); /* reuse buf */ buf = "\n\nSorry, you are not allowed to use this facility!\n"; |