src - FreeBSD source tree

diff options


context:
space:
mode:

author	Max Laier <mlaier@FreeBSD.org>	2009-08-18 16:13:59 +0000
committer	Max Laier <mlaier@FreeBSD.org>	2009-08-18 16:13:59 +0000
commit	739de636d7c95255cef4fc68a2c80cd8af54e502 (patch)
tree	5fe04cbe5c5d58503b8de083ec567a80fad7da80 /authpf
parent	89a3159080a774bd9de50eaf1861a1f0c1657a9f (diff)

eri@ wants to start on porting the latest pf in his user space so we canvendor/pf/4.5 vendor/pf

finally have a new version in 9.0. Import pf as of OPENBSD_4_5_BASE to help with that.

Notes

Notes: svn path=/vendor/pf/dist/; revision=196360 svn path=/vendor/pf/4.5/; revision=196361; tag=vendor/pf/4.5

Diffstat (limited to 'authpf')

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

4 files changed, 76 insertions, 26 deletions

diff --git a/authpf/Makefile b/authpf/Makefile
index 100001a0a744..b0d26a6d3df8 100644
--- a/authpf/Makefile
+++ b/authpf/Makefile

@@ -1,4 +1,4 @@

-# $OpenBSD: Makefile,v 1.13 2008/02/14 01:49:17 mcbride Exp $

+# $OpenBSD: Makefile,v 1.12 2004/04/25 19:24:52 deraadt Exp $

PROG= authpf

MAN= authpf.8

diff --git a/authpf/authpf.8 b/authpf/authpf.8
index 6b6afa4616c3..4b6f13be4180 100644
--- a/authpf/authpf.8
+++ b/authpf/authpf.8

@@ -14,7 +14,7 @@

.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

.\"

-.Dd $Mdocdate: February 14 2008 $

+.Dd $Mdocdate: March 18 2008 $

.Dt AUTHPF 8

.Os

.Sh NAME

@@ -202,6 +202,9 @@ It is also possible to configure

to only allow specific users access.

This is done by listing their login names, one per line, in

.Pa /etc/authpf/authpf.allow .

+A group of users can also be indicated by prepending "%" to the group name,

+and all members of a login class can be indicated by prepending "@" to the

+login class name.

If "*" is found on a line, then all usernames match.

.Nm

@@ -314,7 +317,8 @@ They have a

wireless network which they would like to protect from unauthorized use.

To accomplish this, they create the file

.Pa /etc/authpf/authpf.allow

-which lists their login ids, one per line.

+which lists their login ids, group prepended with "%", or login class

+prepended with "@", one per line.

At this point, even if eve could authenticate to

.Xr sshd 8 ,

she would not be allowed to use the gateway.

diff --git a/authpf/authpf.c b/authpf/authpf.c
index 1416b0db917f..208de3ac5b65 100644
--- a/authpf/authpf.c
+++ b/authpf/authpf.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: authpf.c,v 1.107 2008/02/14 01:49:17 mcbride Exp $ */

+/* $OpenBSD: authpf.c,v 1.111 2009/01/10 17:17:32 todd Exp $ */

@@ -32,6 +32,7 @@

#include <errno.h>

#include <login_cap.h>

#include <pwd.h>

+#include <grp.h>

#include <signal.h>

#include <stdio.h>

#include <stdlib.h>

@@ -43,7 +44,7 @@

static int read_config(FILE *);

static void print_message(char *);

-static int allowed_luser(char *);

+static int allowed_luser(struct passwd *);

static int check_luser(char *, char *);

static int remove_stale_rulesets(void);

static int recursive_ruleset_purge(char *, char *);

@@ -58,6 +59,7 @@ char tablename[PF_TABLE_NAME_SIZE] = "authpf_users";

int user_ip = 1; /* controls whether $user_ip is set */

FILE *pidfp;

+int pidfd = -1;

char luser[MAXLOGNAME]; /* username */

char ipsrc[256]; /* ip as a string */

char pidfile[MAXPATHLEN]; /* we save pid in this file. */

@@ -78,7 +80,7 @@ extern char *__progname; /* program name */

int

main(int argc, char *argv[])

{

- int lockcnt = 0, n, pidfd;

+ int lockcnt = 0, n;

FILE *config;

struct in6_addr ina;

struct passwd *pw;

@@ -93,7 +95,7 @@ main(int argc, char *argv[])

config = fopen(PATH_CONFFILE, "r");

if (config == NULL) {

- syslog(LOG_ERR, "can not open %s (%m)", PATH_CONFFILE);

+ syslog(LOG_ERR, "cannot open %s (%m)", PATH_CONFFILE);

exit(1);

}

@@ -186,6 +188,14 @@ main(int argc, char *argv[])

goto die;

}

+ signal(SIGTERM, need_death);

+ signal(SIGINT, need_death);

+ signal(SIGALRM, need_death);

+ signal(SIGPIPE, need_death);

+ signal(SIGHUP, need_death);

+ signal(SIGQUIT, need_death);

+ signal(SIGTSTP, need_death);

* If someone else is already using this ip, then this person

* wants to switch users - so kill the old process and exit

@@ -239,15 +249,17 @@ main(int argc, char *argv[])

}

- * we try to kill the previous process and acquire the lock

+ * We try to kill the previous process and acquire the lock

* for 10 seconds, trying once a second. if we can't after

- * 10 attempts we log an error and give up

+ * 10 attempts we log an error and give up.

- if (++lockcnt > 10) {

- syslog(LOG_ERR, "cannot kill previous authpf (pid %d)",

- otherpid);

+ if (want_death || ++lockcnt > 10) {

+ if (!want_death)

+ syslog(LOG_ERR, "cannot kill previous authpf (pid %d)",

+ otherpid);

fclose(pidfp);

pidfp = NULL;

+ pidfd = -1;

goto dogdeath;

}

sleep(1);

@@ -258,6 +270,7 @@ main(int argc, char *argv[])

fclose(pidfp);

pidfp = NULL;

+ pidfd = -1;

} while (1);

/* whack the group list */

@@ -275,7 +288,7 @@ main(int argc, char *argv[])

}

openlog("authpf", LOG_PID | LOG_NDELAY, LOG_DAEMON);

- if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(luser)) {

+ if (!check_luser(PATH_BAN_DIR, luser) || !allowed_luser(pw)) {

syslog(LOG_INFO, "user %s prohibited", luser);

do_death(0);

}

@@ -306,13 +319,6 @@ main(int argc, char *argv[])

do_death(0);

}

- signal(SIGTERM, need_death);

- signal(SIGINT, need_death);

- signal(SIGALRM, need_death);

- signal(SIGPIPE, need_death);

- signal(SIGHUP, need_death);

- signal(SIGQUIT, need_death);

- signal(SIGTSTP, need_death);

while (1) {

printf("\r\nHello %s. ", luser);

printf("You are authenticated from host \"%s\"\r\n", ipsrc);

@@ -434,6 +440,7 @@ print_message(char *filename)

* allowed_luser checks to see if user "luser" is allowed to

* use this gateway by virtue of being listed in an allowed

* users file, namely /etc/authpf/authpf.allow .

+ * Users may be listed by <username>, %<group>, or @<login_class>.

* If /etc/authpf/authpf.allow does not exist, then we assume that

* all users who are allowed in by sshd(8) are permitted to

@@ -442,7 +449,7 @@ print_message(char *filename)

* the session terminates in the same manner as being banned.

static int

-allowed_luser(char *luser)

+allowed_luser(struct passwd *pw)

{

char *buf, *lbuf;

int matched;

@@ -474,8 +481,14 @@ allowed_luser(char *luser)

* "public" gateway, such as it is, so let

* everyone use it.

+ int gl_init = 0, ngroups = NGROUPS + 1;

+ gid_t groups[NGROUPS + 1];

lbuf = NULL;

+ matched = 0;

while ((buf = fgetln(f, &len))) {

if (buf[len - 1] == '\n')

buf[len - 1] = '\0';

else {

@@ -486,7 +499,40 @@ allowed_luser(char *luser)

buf = lbuf;

}

- matched = strcmp(luser, buf) == 0 || strcmp("*", buf) == 0;

+ if (buf[0] == '@') {

+ /* check login class */

+ if (strcmp(pw->pw_class, buf + 1) == 0)

+ matched++;

+ } else if (buf[0] == '%') {

+ /* check group membership */

+ int cnt;

+ struct group *group;

+ if ((group = getgrnam(buf + 1)) == NULL) {

+ syslog(LOG_ERR,

+ "invalid group '%s' in %s (%s)",

+ buf + 1, PATH_ALLOWFILE,

+ strerror(errno));

+ return (0);

+ }

+ if (!gl_init) {

+ (void) getgrouplist(pw->pw_name,

+ pw->pw_gid, groups, &ngroups);

+ gl_init++;

+ }

+ for ( cnt = 0; cnt < ngroups; cnt++) {

+ if (group->gr_gid == groups[cnt]) {

+ matched++;

+ break;

+ }

+ } else {

+ /* check username and wildcard */

+ matched = strcmp(pw->pw_name, buf) == 0 ||

+ strcmp("*", buf) == 0;

+ }

if (lbuf != NULL) {

free(lbuf);

@@ -494,10 +540,10 @@ allowed_luser(char *luser)

}

if (matched)

- return (1); /* matched an allowed username */

+ return (1); /* matched an allowed user/group */

}

syslog(LOG_INFO, "denied access to %s: not listed in %s",

- luser, PATH_ALLOWFILE);

+ pw->pw_name, PATH_ALLOWFILE);

/* reuse buf */

buf = "\n\nSorry, you are not allowed to use this facility!\n";

@@ -878,7 +924,7 @@ do_death(int active)

authpf_kill_states();

}

- if (pidfile[0] && (pidfp != NULL))

+ if (pidfile[0] && pidfd != -1)

if (unlink(pidfile) == -1)

syslog(LOG_ERR, "cannot unlink %s (%m)", pidfile);

exit(ret);

diff --git a/authpf/pathnames.h b/authpf/pathnames.h
index e02cf77c9fe6..494b6ecab95f 100644
--- a/authpf/pathnames.h
+++ b/authpf/pathnames.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: pathnames.h,v 1.8 2008/02/14 01:49:17 mcbride Exp $ */

+/* $OpenBSD: pathnames.h,v 1.7 2004/04/25 18:40:42 beck Exp $ */