From nobody@FreeBSD.org  Fri Oct 19 22:49:21 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 6C35D709
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 19 Oct 2012 22:49:21 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 4A4758FC0C
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 19 Oct 2012 22:49:21 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.5/8.14.5) with ESMTP id q9JMnKEv008935
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 19 Oct 2012 22:49:20 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.5/8.14.5/Submit) id q9JMnK4V008931;
	Fri, 19 Oct 2012 22:49:20 GMT
	(envelope-from nobody)
Message-Id: <201210192249.q9JMnK4V008931@red.freebsd.org>
Date: Fri, 19 Oct 2012 22:49:20 GMT
From: Frank Timmers <frank@smurfnet.eu>
To: freebsd-gnats-submit@FreeBSD.org
Subject: authpf feature enhancement
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         172888
>Category:       bin
>Synopsis:       [patch] authpf(8) feature enhancement
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-pf
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Oct 19 22:50:00 UTC 2012
>Closed-Date:    
>Last-Modified:  Fri Oct 19 23:44:24 UTC 2012
>Originator:     Frank Timmers
>Release:        FreeBSD 9.0-RELEASE
>Organization:
Lion-X
>Environment:
FreeBSD fbsdtest 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:15:25 UTC 2012     root@obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
the current version of authpf allows you to load pf rules based on the connecting user. This patch adds the possibility to load pf rules based on (primary) group membership without breaking the original functionality and behavior.
>How-To-Repeat:
user pf rules are in /etc/authpf/users/$USER

This patch will first look in the directory above, then in /etc/authpf/groups/$GROUP
>Fix:
apply attached patch

Patch attached with submission follows:

diff -up contrib/pf/authpf.orig/authpf.8 contrib/pf/authpf/authpf.8
--- contrib/pf/authpf.orig/authpf.8	2012-01-03 04:24:44.000000000 +0100
+++ contrib/pf/authpf/authpf.8	2012-10-20 00:42:15.000000000 +0200
@@ -139,14 +139,20 @@ Filter and translation rules are stored 
 .Pa authpf.rules .
 This file will first be searched for in
 .Pa /etc/authpf/users/$USER/
-and then in
+, then in
+.Pa /etc/authpf/groups/$GROUP/
+and finally in
 .Pa /etc/authpf/ .
-Only one of these files will be used if both are present.
+Only the the first found file will be used.
 .Pp
 Per-user rules from the
 .Pa /etc/authpf/users/$USER/
 directory are intended to be used when non-default rules
 are needed on an individual user basis.
+Per-group rules from the
+.Pa /etc/authpf/groups/$GROUP/
+directory are intended to be used when non-default rules
+are needed on a group basis.
 It is important to ensure that a user can not write or change
 these configuration files.
 .Pp
diff -up contrib/pf/authpf.orig/authpf.c contrib/pf/authpf/authpf.c
--- contrib/pf/authpf.orig/authpf.c	2012-01-03 04:24:44.000000000 +0100
+++ contrib/pf/authpf/authpf.c	2012-10-20 00:44:58.000000000 +0200
@@ -758,6 +758,12 @@ change_filter(int add, const char *l_use
 
 	if (add) {
 		struct stat sb;
+		struct group *grent;
+		if((grent = getgrgid(getgid())) == NULL) {
+			syslog(LOG_ERR, "group id %d for user %s is ot found in groupfile!",
+			    getgid(), luser);
+		}
+
 		char *pargv[13] = {
 			"pfctl", "-p", "/dev/pf", "-q", "-a", "anchor/ruleset",
 			"-D", "user_id=X", "-D", "user_ip=X", "-f", "file", NULL
@@ -781,8 +787,12 @@ change_filter(int add, const char *l_use
 			goto no_mem;
 		if (stat(fn, &sb) == -1) {
 			free(fn);
-			if ((fn = strdup(PATH_PFRULES)) == NULL)
+			if(asprintf(&fn, "%s/%s/authpf.rules", PATH_GROUP_DIR, grent->gr_name) == -1)
 				goto no_mem;
+			if(stat(fn, &sb) == -1) {
+				if ((fn = strdup(PATH_PFRULES)) == NULL)
+					goto no_mem;
+			}
 		}
 		pargv[2] = fdpath;
 		pargv[5] = rsn;
diff -up contrib/pf/authpf.orig/pathnames.h contrib/pf/authpf/pathnames.h
--- contrib/pf/authpf.orig/pathnames.h	2012-01-03 04:24:44.000000000 +0100
+++ contrib/pf/authpf/pathnames.h	2012-10-20 00:42:15.000000000 +0200
@@ -31,6 +31,7 @@
 #define PATH_PROBLEM		"/etc/authpf/authpf.problem"
 #define PATH_MESSAGE		"/etc/authpf/authpf.message"
 #define PATH_USER_DIR		"/etc/authpf/users"
+#define PATH_GROUP_DIR		"/etc/authpf/groups"
 #define PATH_BAN_DIR		"/etc/authpf/banned"
 #define PATH_DEVFILE		"/dev/pf"
 #define PATH_PIDFILE		"/var/authpf"


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-pf 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Fri Oct 19 23:43:57 UTC 2012 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=172888 
>Unformatted:
