diff options
author | beck <beck@openbsd.org> | 2013-01-15 23:03:37 +0000 |
---|---|---|
committer | beck <beck@openbsd.org> | 2013-01-15 23:03:37 +0000 |
commit | e5a64f8b6f42d0d92fd0bfab42d333199885fc39 (patch) | |
tree | bbbae3db1313147513c07e21b0123d19714d5a88 /usr.sbin/authpf | |
parent | If timing between keys is less than (by default) 1 millisecond, assume (diff) | |
download | wireguard-openbsd-e5a64f8b6f42d0d92fd0bfab42d333199885fc39.tar.xz wireguard-openbsd-e5a64f8b6f42d0d92fd0bfab42d333199885fc39.zip |
Per group support for authpf rules files in /etc/authpf/groups.
largely by Frank Timmers <frankt@smurfnet.eu> with fixups by me
and jmc@.
Diffstat (limited to 'usr.sbin/authpf')
-rw-r--r-- | usr.sbin/authpf/authpf.8 | 16 | ||||
-rw-r--r-- | usr.sbin/authpf/authpf.c | 16 | ||||
-rw-r--r-- | usr.sbin/authpf/pathnames.h | 3 |
3 files changed, 27 insertions, 8 deletions
diff --git a/usr.sbin/authpf/authpf.8 b/usr.sbin/authpf/authpf.8 index 60cf58312cc..51dbe704d18 100644 --- a/usr.sbin/authpf/authpf.8 +++ b/usr.sbin/authpf/authpf.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: authpf.8,v 1.52 2010/01/27 21:36:58 jmc Exp $ +.\" $OpenBSD: authpf.8,v 1.53 2013/01/15 23:03:37 beck Exp $ .\" .\" Copyright (c) 1998-2007 Bob Beck (beck@openbsd.org>. All rights reserved. .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: January 27 2010 $ +.Dd $Mdocdate: January 15 2013 $ .Dt AUTHPF 8 .Os .Sh NAME @@ -133,15 +133,21 @@ is assigned the user name. Rules are stored in a file called .Pa authpf.rules . This file will first be searched for in -.Pa /etc/authpf/users/$USER/ -and then in +.Pa /etc/authpf/users/$USER/ , +then in +.Pa /etc/authpf/groups/$GROUP/ +and finally in .Pa /etc/authpf/ . -Only one of these files will be used if both are present. +Only the first found file will be used. .Pp Per-user rules from the .Pa /etc/authpf/users/$USER/ directory are intended to be used when non-default rules are needed on an individual user basis. +Per-group rules from the +.Pa /etc/authpf/groups/$GROUP/ +directory are intended to be used when non-default rules +are needed on a group basis. It is important to ensure that a user can not write or change these configuration files. .Pp diff --git a/usr.sbin/authpf/authpf.c b/usr.sbin/authpf/authpf.c index 985563b7a02..b3be00fe0e0 100644 --- a/usr.sbin/authpf/authpf.c +++ b/usr.sbin/authpf/authpf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: authpf.c,v 1.116 2012/07/07 12:55:29 claudio Exp $ */ +/* $OpenBSD: authpf.c,v 1.117 2013/01/15 23:03:37 beck Exp $ */ /* * Copyright (C) 1998 - 2007 Bob Beck (beck@openbsd.org). @@ -748,6 +748,12 @@ change_filter(int add, const char *luser, const char *ipsrc) if (add) { struct stat sb; + struct group *grent; + if((grent = getgrgid(getgid())) == NULL) { + syslog(LOG_ERR, "Group not found user %s, gid %d", + luser, getgid()); + } + char *pargv[13] = { "pfctl", "-p", "/dev/pf", "-q", "-a", "anchor/ruleset", "-D", "user_id=X", "-D", "user_ip=X", "-f", "file", NULL @@ -771,8 +777,14 @@ change_filter(int add, const char *luser, const char *ipsrc) goto no_mem; if (stat(fn, &sb) == -1) { free(fn); - if ((fn = strdup(PATH_PFRULES)) == NULL) + if(asprintf(&fn, "%s/%s/authpf.rules", PATH_GROUP_DIR, + grent->gr_name) == -1) goto no_mem; + if(stat(fn, &sb) == -1) { + free(fn); + if ((fn = strdup(PATH_PFRULES)) == NULL) + goto no_mem; + } } pargv[2] = fdpath; pargv[5] = rsn; diff --git a/usr.sbin/authpf/pathnames.h b/usr.sbin/authpf/pathnames.h index e02cf77c9fe..e663d8b6704 100644 --- a/usr.sbin/authpf/pathnames.h +++ b/usr.sbin/authpf/pathnames.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pathnames.h,v 1.8 2008/02/14 01:49:17 mcbride Exp $ */ +/* $OpenBSD: pathnames.h,v 1.9 2013/01/15 23:03:37 beck Exp $ */ /* * Copyright (C) 2002 Chris Kuethe (ckuethe@ualberta.ca) @@ -31,6 +31,7 @@ #define PATH_PROBLEM "/etc/authpf/authpf.problem" #define PATH_MESSAGE "/etc/authpf/authpf.message" #define PATH_USER_DIR "/etc/authpf/users" +#define PATH_GROUP_DIR "/etc/authpf/groups" #define PATH_BAN_DIR "/etc/authpf/banned" #define PATH_DEVFILE "/dev/pf" #define PATH_PIDFILE "/var/authpf" |