Per group support for authpf rules files in /etc/authpf/groups.

largely by Frank Timmers <frankt@smurfnet.eu> with fixups by me
and jmc@.

3 files changed, 27 insertions, 8 deletions

diff --git a/usr.sbin/authpf/authpf.8 b/usr.sbin/authpf/authpf.8
index 60cf58312cc..51dbe704d18 100644
--- a/usr.sbin/authpf/authpf.8
+++ b/usr.sbin/authpf/authpf.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: authpf.8,v 1.52 2010/01/27 21:36:58 jmc Exp $
+.\" $OpenBSD: authpf.8,v 1.53 2013/01/15 23:03:37 beck Exp $
 .\"
 .\" Copyright (c) 1998-2007 Bob Beck (beck@openbsd.org>.  All rights reserved.
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 27 2010 $
+.Dd $Mdocdate: January 15 2013 $
 .Dt AUTHPF 8
 .Os
 .Sh NAME
@@ -133,15 +133,21 @@ is assigned the user name.
 Rules are stored in a file called
 .Pa authpf.rules .
 This file will first be searched for in
-.Pa /etc/authpf/users/$USER/
-and then in
+.Pa /etc/authpf/users/$USER/ ,
+then in
+.Pa /etc/authpf/groups/$GROUP/
+and finally in
 .Pa /etc/authpf/ .
-Only one of these files will be used if both are present.
+Only the first found file will be used.
 .Pp
 Per-user rules from the
 .Pa /etc/authpf/users/$USER/
 directory are intended to be used when non-default rules
 are needed on an individual user basis.
+Per-group rules from the
+.Pa /etc/authpf/groups/$GROUP/
+directory are intended to be used when non-default rules
+are needed on a group basis.
 It is important to ensure that a user can not write or change
 these configuration files.
 .Pp
diff --git a/usr.sbin/authpf/authpf.c b/usr.sbin/authpf/authpf.c
index 985563b7a02..b3be00fe0e0 100644
--- a/usr.sbin/authpf/authpf.c
+++ b/usr.sbin/authpf/authpf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: authpf.c,v 1.116 2012/07/07 12:55:29 claudio Exp $	*/
+/*	$OpenBSD: authpf.c,v 1.117 2013/01/15 23:03:37 beck Exp $	*/
 
 /*
  * Copyright (C) 1998 - 2007 Bob Beck (beck@openbsd.org).
@@ -748,6 +748,12 @@ change_filter(int add, const char *luser, const char *ipsrc)
 
 	if (add) {
 		struct stat sb;
+		struct group *grent;
+		if((grent = getgrgid(getgid())) == NULL) {
+			syslog(LOG_ERR, "Group not found user %s, gid %d",
+			    luser, getgid());
+		}
+
 		char	*pargv[13] = {
 			"pfctl", "-p", "/dev/pf", "-q", "-a", "anchor/ruleset",
 			"-D", "user_id=X", "-D", "user_ip=X", "-f", "file", NULL
@@ -771,8 +777,14 @@ change_filter(int add, const char *luser, const char *ipsrc)
 			goto no_mem;
 		if (stat(fn, &sb) == -1) {
 			free(fn);
-			if ((fn = strdup(PATH_PFRULES)) == NULL)
+			if(asprintf(&fn, "%s/%s/authpf.rules", PATH_GROUP_DIR,
+				grent->gr_name) == -1)
 				goto no_mem;
+			if(stat(fn, &sb) == -1) {
+				free(fn);
+				if ((fn = strdup(PATH_PFRULES)) == NULL)
+					goto no_mem;
+			}
 		}
 		pargv[2] = fdpath;
 		pargv[5] = rsn;
diff --git a/usr.sbin/authpf/pathnames.h b/usr.sbin/authpf/pathnames.h
index e02cf77c9fe..e663d8b6704 100644
--- a/usr.sbin/authpf/pathnames.h
+++ b/usr.sbin/authpf/pathnames.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pathnames.h,v 1.8 2008/02/14 01:49:17 mcbride Exp $	*/
+/*	$OpenBSD: pathnames.h,v 1.9 2013/01/15 23:03:37 beck Exp $	*/
 
 /*
  * Copyright (C) 2002 Chris Kuethe (ckuethe@ualberta.ca)
@@ -31,6 +31,7 @@
 #define PATH_PROBLEM		"/etc/authpf/authpf.problem"
 #define PATH_MESSAGE		"/etc/authpf/authpf.message"
 #define PATH_USER_DIR		"/etc/authpf/users"
+#define PATH_GROUP_DIR		"/etc/authpf/groups"
 #define PATH_BAN_DIR		"/etc/authpf/banned"
 #define PATH_DEVFILE		"/dev/pf"
 #define PATH_PIDFILE		"/var/authpf"