Allow user:group in USER SET column of rules file

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@744 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-08 16:54:10 +01:00 · 2003-09-19 19:42:05 +00:00 · 2003-09-19 19:42:05 +00:00 · 9f14855704
commit 9f14855704
parent 6074472053
3 changed files with 62 additions and 30 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -80,3 +80,6 @@ Changes since 1.4.6

 35) Correct rules file comment.

+36) Extend USER SET column in /etc/shorewall/rules to allow user:group.
+
+
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -2308,6 +2308,8 @@ add_nat_rule() {
 #    servport	 = Port the server listens on
 #    chain	 = The canonical chain for this rule
 #    ratelimit   = Optional rate limiting clause
+#    userandgroup= -m owner clause
+#    userset     = User set name
 #
 add_a_rule()
 {
@ -2454,15 +2456,15 @@ add_a_rule()
 				for adr in `separate_list $addr`; do
 				    if [ -n "$loglevel" -a -z "$natrule" ]; then
 					log_rule_limit $loglevel $chain $logtarget "$ratelimit" -m conntrack --ctorigdst $adr \
-					    `fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
+					    $userandgroup `fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
 				    fi

 				    run_iptables2 -A $chain $proto $ratelimit $multiport $state $cli $sports \
-					-d $srv $dports -m conntrack --ctorigdst $adr -j $target
+					-d $srv $dports -m conntrack --ctorigdst $adr $userandgroup -j $target
 				done
 			    else
 				if [ -n "$loglevel" -a -z "$natrule" ]; then
-				    log_rule_limit $loglevel $chain $logtarget "$ratelimit" \
+				    log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \
 					`fix_bang $proto $sports $multiport $state $cli -d $srv $dports`
 				fi

@ -2473,12 +2475,12 @@ add_a_rule()
 		    done
 		else
 		    if [ -n "$loglevel" -a -z "$natrule" ]; then
-		        log_rule_limit $loglevel $chain $logtarget "$ratelimit" \
+		        log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \
 			    `fix_bang $proto $sports $multiport $state $cli $dports`
 		    fi

 		    run_iptables2 -A $chain $proto $multiport $state $cli $sports \
-			$dports $ratelimit -j $target
+			$dports $ratelimit $userandgroup -j $target
 		fi
 	    fi
 	fi
@ -2492,13 +2494,13 @@ add_a_rule()

 	if [ $command != check ]; then
 	    if [ -n "$loglevel" ]; then
-		log_rule_limit $loglevel $chain $logtarget "$ratelimit" \
+		log_rule_limit $loglevel $chain $logtarget "$ratelimit" $userandgroup \
 		    `fix_bang $proto $multiport $dest_interface $state $cli $sports $dports`
 	    fi

 	    if [ $logtarget != LOG ]; then
 		run_iptables2 -A $chain $proto $multiport $dest_interface $state \
-		    $cli $sports $dports $ratelimit -j $target
+		    $cli $sports $dports $ratelimit $userandgroup -j $target
 	    fi
 	fi
    fi
@ -2526,6 +2528,7 @@ process_rule() # $1 = target
    local address="$7"
    local ratelimit="$8"
    local userset="$9"
+    local userandgroup=
    local rule="`echo $target $clients $servers $protocol $ports $cports $address $ratelimit $userset`"

    # Function Body - isolate rate limit
@ -2578,27 +2581,48 @@ process_rule() # $1 = target
    [ "x$address" = "x-" ] && address=

    if [ -n "$userset" ]; then
-	if ! havechain `accept_chain $userset`; then
-	    fatal_error "Unknown user set $userset: rule \"$rule\""
-	fi
-
-	case $target in
-	    ACCEPT)
-		target=`accept_chain $userset`
-		;;
-	    DROP)
-		target=`drop_chain $userset`
-		;;
-	    REJECT)
-		target=`reject_chain $userset`
+	case "$userset" in
+	    *:*)
+		case $target in 
+		    ACCEPT|REJECT|DROP)
+			;;
+		    *)
+			fatal_error "<user>:<group> may only be specified in ACCEPT, REJECT and DROP rules: rule \"$rule\""
+			;;
+		esac
+			
+		if [ "$userset" != ":" ]; then
+		    userandgroup="-m owner"
+		    temp="${userset%:*}"
+		    [ -n "$temp" ] && userandgroup="$userandgroup --uid-owner $temp" 
+		    temp="${userset#*:}"
+		    [ -n "$temp" ] && userandgroup="$userandgroup --gid-owner $temp"
+		fi 
+		userset=
 		;;
 	    *)
-		[ -n "$userset" ] && \
-		    fatal_error "A user set may only be specified in ACCEPT, REJECT and DROP rules: rule \"$rule\""
+		if ! havechain `accept_chain $userset`; then
+		    fatal_error "Unknown user set $userset: rule \"$rule\""
+		fi
+		
+		case $target in
+		    ACCEPT)
+			target=`accept_chain $userset`
+			;;
+		    DROP)
+			target=`drop_chain $userset`
+			;;
+		    REJECT)
+			target=`reject_chain $userset`
+			;;
+		    *)
+			fatal_error "A user set may only be specified in ACCEPT, REJECT and DROP rules: rule \"$rule\""
+		esac
+		
+		[ -n "$loglevel" ] && \
+		    fatal_error "Logging may not be specified on a rule with a User Set: rule \"$rule\""
+		;;
 	esac
-
-	[ -n "$loglevel" ] && \
-	    fatal_error "Logging may not be specified on a rule with a User Set: rule \"$rule\""
    else
 	case $target in
 	    ACCEPT|LOG)
--- a/Shorewall/rules
+++ b/Shorewall/rules
@ -232,13 +232,18 @@
 #			the firewall itself and the ACTION is ACCEPT, DROP or
 #			REJECT.
 #			
-#			The colume may contain a user set name defined in the
-#			/etc/shorewall/usersets file.
-#			
+#			The column may contain a user set name defined in the
+#			/etc/shorewall/usersets file or it may contain:
+#
+#			   [<user name or number>]:[<group name or number>]
+#
 #			When this column is non-empty, the rule applies only
 #			if the program generating the output is running under
-#			the effective <user> and/or <group> specified. A log
-#			level may not be given in the ACTION column.
+#			the effective <user>(s) and/or <group>(s) specified.
+#			When a user set name is given, a log level may not be
+#			present in the ACTION column; logging for such rules is
+#			controlled by the user set's entry in 
+#			/etc/shorewall/usersets.
 #
 #	Example: Accept SMTP requests from the DMZ to the internet
 #