[pf4freebsd] Comments? FreeBSD-only change (group -> groupmember)
Max Laier
max at love2party.net
Wed Sep 15 21:08:50 PDT 2004
Hi,
during a discussion about ipfw's user/group filter capabilities and it's
implementation with Christian S.J. Peron we found that pf only applies group
filter based on the primary (effective) group of the user, rather than taking
all member groups into account. This is a major backdraw for multiuser
environments, where you want to allow/deny a large group of people certain
network access, say:
pass out on $dmz from $dmz to $cvsserver port 22 group cvsuser keep state
In FreeBSD it's quite easy to change the behavior to check for member-groups
(see attachment). For OpenBSD, however, this is not possible as it does not
store/reference full credentials on the socket pcb, but rather just copies
uid/gid and euid/egid.
A patch to the same effect as what was done in FreeBSD:
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/kern/uipc_socket.c.diff?r1=1.59&r2=1.62
would change the situation and provide a couple of benefits (imo):
Not only would it allow pf to check groupmembership, but it will also give
*everything* that has to enforce per-socket permissions access to the *full*
credentials. Moreover, it will simply provide any future extensions of the
credentials to everything that might be interested.
I plan to commit the "fix" for FreeBSD unless you tell me, that you (=the
FreeBSD pf-userbase) prefer to old behavior (and give me valid reasons why).
Other than that I am willing to help with the conversion in OpenBSD if you
(=the OpenBSD users/developers^W^W^WTheo) are interested.
Looking forward to your feedback. Thanks.
Final note on the patch: You will see a new cache variable "jid" that seems to
have no sense or application. This will turn into a "jailed" filter, which
allows you to check whether a given socket was created inside a jail or not
This is FreeBSD-specific as well and will follow in a bit.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pf_groupmember.patch
Type: text/x-diff
Size: 6885 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20040916/df74ec68/pf_groupmember.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: signature
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20040916/df74ec68/attachment.bin
More information about the freebsd-pf
mailing list