mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-25 15:48:56 +01:00
Add support for --cmd-owner
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2078 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
d93215ccc3
commit
9fc88cfbd5
@ -69,7 +69,7 @@
|
||||
#
|
||||
# The column may contain:
|
||||
#
|
||||
# [!][<user name or number>][:<group name or number>]
|
||||
# [!][<user name or number>][:<group name or number>][/<program name>]
|
||||
#
|
||||
# When this column is non-empty, the rule applies only
|
||||
# if the program generating the output is running under
|
||||
@ -83,6 +83,7 @@
|
||||
# #the 'kids' group
|
||||
# !:kids #program must not be run by a member
|
||||
# #of the 'kids' group
|
||||
# /upnpd #program named upnpd
|
||||
#
|
||||
# In all of the above columns except ACTION and CHAIN, the values "-",
|
||||
# "any" and "all" may be used as wildcards
|
||||
|
@ -146,7 +146,7 @@
|
||||
#
|
||||
# The column may contain:
|
||||
#
|
||||
# [!][<user name or number>][:<group name or number>]
|
||||
# [!][<user name or number>][:<group name or number>][/<program name>]
|
||||
#
|
||||
# When this column is non-empty, the rule applies only
|
||||
# if the program generating the output is running under
|
||||
@ -160,6 +160,7 @@
|
||||
# #the 'kids' group
|
||||
# !:kids #program must not be run by a member
|
||||
# #of the 'kids' group
|
||||
# /upnpd #program named upnpd
|
||||
#
|
||||
######################################################################################
|
||||
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
|
||||
|
@ -1,290 +1,3 @@
|
||||
Changes in 2.2.4
|
||||
Changes in 2.3.0
|
||||
|
||||
1) Added support for UPnP
|
||||
|
||||
2) Add 'started' hook.
|
||||
|
||||
3) Make an error message more self-explanatory
|
||||
|
||||
4) Report Owner Match capability
|
||||
|
||||
5) Add Paul Traina's patch to install.sh.
|
||||
|
||||
6) Allow startup options to be overridden in /etc/sysconfig/shorewall
|
||||
or /etc/default/shorewall.
|
||||
|
||||
7) Add support for SAME
|
||||
|
||||
8) Add 'shorewall show capabilities'
|
||||
|
||||
8) Add '-v' option
|
||||
|
||||
9) Allow 'none' in /etc/shorewall/rules.
|
||||
|
||||
10) Add error message for invalid HOST(S) column contents.
|
||||
|
||||
11) Apply Christian Rodriguez's patch for Slackware install.
|
||||
|
||||
Changes in 2.2.3
|
||||
|
||||
1) Added the 'continue' extension script.
|
||||
|
||||
2) Obey 'routestopped' rules during [re]start.
|
||||
|
||||
3) MACLIST_TTL added.
|
||||
|
||||
4) Fix ! in hosts file
|
||||
|
||||
5) Add QUEUE policy.
|
||||
|
||||
6) Fix routing output when advanced routing support not in kernel.
|
||||
|
||||
Changes in 2.2.2
|
||||
|
||||
1) The 'check' command disclaimer is toned down further and only
|
||||
appears once in the 'check' output.
|
||||
|
||||
2) Enhanced support in the SOURCE column of /etc/shorewall/tcrules.
|
||||
|
||||
3) All calls to 'clear' are now conditional on the output device being
|
||||
a terminal.
|
||||
|
||||
4) Apply Juergen Kreileder's patch for logging.
|
||||
|
||||
5) Add the output of 'arp -na' to the 'shorewall status' display.
|
||||
|
||||
6) Provide support for the Extended multiport match available in
|
||||
2.6.11.
|
||||
|
||||
7) Fix logging rule generation.
|
||||
|
||||
8) Correct port numbers in action.AllowPCA.
|
||||
|
||||
9) Fix installer's handling of action.* files.
|
||||
|
||||
10) Implement RFC1918_STRICT
|
||||
|
||||
11) Verify interface names in the DEST column of tcrules.
|
||||
|
||||
Changes in 2.2.1
|
||||
|
||||
1) Add examples to the zones and policy files.
|
||||
|
||||
2) Simon Matter's patch for umask.
|
||||
|
||||
Changes since 2.0.3
|
||||
|
||||
1) Fix security vulnerability involving temporary files/directories.
|
||||
|
||||
2) Hack security fix so that it works under Slackware.
|
||||
|
||||
3) Correct mktempfile() for case where mktemp isn't installed.
|
||||
|
||||
4) Implement 'dropInvalid' builtin action.
|
||||
|
||||
5) Fix logging nat rules.
|
||||
|
||||
6) Fix COMMAND typos.
|
||||
|
||||
7) Add PKTTYPE option.
|
||||
|
||||
8) Enhancements to /etc/shorewall/masq
|
||||
|
||||
8) Allow overriding ADD_IP_ALIASES=Yes
|
||||
|
||||
9) Fix syntax error in setup_nat()
|
||||
|
||||
10) Port "shorewall status" changes from 2.0.7.
|
||||
|
||||
11) All config files are now empty.
|
||||
|
||||
12) Port blacklisting fix from 2.0.7
|
||||
|
||||
13) Pass rule chain and display chain separately to log_rule_limit.
|
||||
Prep work for action logging.
|
||||
|
||||
14) Show the iptables/ip/tc command that failed when failure is fatal.
|
||||
|
||||
15) Implement STARTUP_ENABLED.
|
||||
|
||||
16) Added DNAT ONLY column to /etc/shorewall/nat.
|
||||
|
||||
17) Removed SNAT from ORIGINAL DESTINATION column.
|
||||
|
||||
18) Removed DNAT ONLY column.
|
||||
|
||||
19) Added IPSEC column to /etc/shorewall/masq.
|
||||
|
||||
20) No longer enforce source port 500 for ISAKMP.
|
||||
|
||||
21) Apply policy to interface/host options.
|
||||
|
||||
22) Fix policy and maclist.
|
||||
|
||||
23) Implement additional IPSEC options for zones and masq entries.
|
||||
|
||||
24) Deprecate the -c option in /sbin/shorewall.
|
||||
|
||||
25) Allow distinct input and output IPSEC parameters.
|
||||
|
||||
26) Allow source port remapping in /etc/shorewall/masq.
|
||||
|
||||
27) Include params file on 'restore'
|
||||
|
||||
28) Apply Richard Musil's patch.
|
||||
|
||||
29) Correct parsing of PROTO column in setup_tc1().
|
||||
|
||||
30) Verify Physdev match if BRIDGING=Yes
|
||||
|
||||
31) Don't NAT tunnel traffic.
|
||||
|
||||
32) Fix shorewall.spec to run chkconfig/insserv after initial install.
|
||||
|
||||
33) Add iprange support.
|
||||
|
||||
34) Add CLASSIFY support.
|
||||
|
||||
35) Fix iprange support so that ranges in both source and destination
|
||||
work.
|
||||
|
||||
36) Remove logunclean and dropunclean
|
||||
|
||||
37) Fixed proxy arp flag setting for complex configurations.
|
||||
|
||||
38) Added RETAIN_ALIASES option.
|
||||
|
||||
39) Relax OpenVPN source port restrictions.
|
||||
|
||||
40) Implement DELAYBLACKLISTLOAD.
|
||||
|
||||
41) Avoid double-setting proxy arp flags.
|
||||
|
||||
42) Fix DELAYBLACKLISTLOAD=No.
|
||||
|
||||
43) Merge 'brctl show' change from 2.0.9.
|
||||
|
||||
44) Implememt LOGTAGONLY.
|
||||
|
||||
45) Merge 'tcrules' clarification from 2.0.10.
|
||||
|
||||
46) Implement 'sourceroute' interface option.
|
||||
|
||||
47) Add 'AllowICMPs' action.
|
||||
|
||||
48) Changed 'activate_rules' such that traffic from IPSEC hosts gets
|
||||
handled before traffic from non-IPSEC zones.
|
||||
|
||||
49) Correct logmartians handling.
|
||||
|
||||
50) Add a clarification and fix a typo in the blacklist file.
|
||||
|
||||
51) Allow setting a specify MSS value.
|
||||
|
||||
52) Detect duplicate zone names.
|
||||
|
||||
53) Add mss=<number> option to the ipsec file.
|
||||
|
||||
54) Added CONNMARK/ipp2p support.
|
||||
|
||||
55) Added LOGALLNEW support.
|
||||
|
||||
56) Fix typo in check_config()
|
||||
|
||||
57) Allow outgoing NTP responses in action.AllowNTP.
|
||||
|
||||
58) Clarification of the 'ipsec' hosts file option.
|
||||
|
||||
59) Allow list in the SUBNET column of the rfc1918 file.
|
||||
|
||||
60) Restore missing '#' in the rfc1918 file.
|
||||
|
||||
61) Add note for Slackware users to INSTALL.
|
||||
|
||||
62) Allow interface in DEST tcrules column.
|
||||
|
||||
63) Remove 'ipt_unclean' from search expression in "log" commands.
|
||||
|
||||
64) Remove nonsense from IPSEC description in masq file.
|
||||
|
||||
65) Correct typo in rules file.
|
||||
|
||||
66) Update bogons file.
|
||||
|
||||
67) Add a rule for NNTPS to action.AllowNNTP
|
||||
|
||||
68) Fix "shorewall add"
|
||||
|
||||
69) Change CLIENT PORT(S) to SOURCE PORT(S) in tcrules file.
|
||||
|
||||
70) Correct typo in shorewall.conf.
|
||||
|
||||
71) Add the 'icmp_echo_ignore_all' file to the /proc display.
|
||||
|
||||
72) Apply Tuomas Jormola's IPTABLES patch.
|
||||
|
||||
73) Fixed some bugs in Tuomas's patch.
|
||||
|
||||
74) Correct bug in "shorewall add"
|
||||
|
||||
75) Correct bridge handling in "shorewall add" and "shorewall delete"
|
||||
|
||||
76) Add "shorewall show zones"
|
||||
|
||||
77) Remove dependency of "show zones" on dynamic zones.
|
||||
|
||||
78) Implement variable expansion in INCLUDE directives
|
||||
|
||||
79) More fixes for "shorewall delete" with bridging.
|
||||
|
||||
80) Split restore-base into two files.
|
||||
|
||||
81) Correct OUTPUT handling of dynamic zones.
|
||||
|
||||
83) Add adapter statistics to the output of "shorewall status".
|
||||
|
||||
84) Log drops due to policy rate limiting.
|
||||
|
||||
85) Continue determining capabilities when fooX1234 already exists.
|
||||
|
||||
86) Corrected typo in interfaces file.
|
||||
|
||||
87) Add DROPINVALID option.
|
||||
|
||||
88) Allow list of hosts in add and delete commands. Fix ipsec problem
|
||||
with "add" and "delete"
|
||||
|
||||
89) Clarify add/delete syntax in /sbin/shorewall usage summary.
|
||||
|
||||
90) Implement OpenVPN TCP support.
|
||||
|
||||
91) Simplify the absurdly over-engineered code that restores the
|
||||
dynamic chain.
|
||||
|
||||
92) Add OPENVPNPORT option.
|
||||
|
||||
93) Remove OPENVPNPORT option and change default port to 1194.
|
||||
|
||||
94) Avoid shell error during "shorewall stop/clear"
|
||||
|
||||
95) Change encryption to blowfish in 'ipsecvpn' script.
|
||||
|
||||
96) Correct rate limiting rule example.
|
||||
|
||||
97) Fix <if>:: handling in setup_masq().
|
||||
|
||||
98) Fix mis-leading typo in tunnels.
|
||||
|
||||
99) Fix brain-dead ipsec option handling in setup_masq().
|
||||
|
||||
100) Reconcile ipsec masq file implementation with the documentation.
|
||||
|
||||
101) Add netfilter module display to status output.
|
||||
|
||||
102) Add 'allowInvalid' builtin action.
|
||||
|
||||
103) Expand range of Traceroute ports.
|
||||
|
||||
102) Correct uninitialized variable in setup_ecn()
|
||||
|
||||
103) Allow DHCP to be IPSEC-encrypted.
|
||||
1) Implement support for --cmd-owner
|
||||
|
@ -2405,16 +2405,24 @@ process_tc_rule()
|
||||
[ "$chain" != tcout ] && \
|
||||
fatal_error "Invalid use of a user/group: rule \"$rule\""
|
||||
|
||||
r="$r-m owner"
|
||||
|
||||
case "$user" in
|
||||
*/*)
|
||||
r="$r --cmd-owner ${user#*/}"
|
||||
user=${user%/*}
|
||||
;;
|
||||
esac
|
||||
|
||||
case "$user" in
|
||||
*:*)
|
||||
r="$r-m owner"
|
||||
temp="${user%:*}"
|
||||
[ -n "$temp" ] && r="$r --uid-owner $temp "
|
||||
temp="${user#*:}"
|
||||
[ -n "$temp" ] && r="$r --gid-owner $temp "
|
||||
;;
|
||||
*)
|
||||
r="$r-m owner --uid-owner $user "
|
||||
r="$r--uid-owner $user "
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
@ -2646,6 +2654,7 @@ process_accounting_rule() {
|
||||
rule=
|
||||
rule2=
|
||||
jumpchain=
|
||||
user1=
|
||||
|
||||
accounting_error() {
|
||||
error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport $user
|
||||
@ -2670,6 +2679,7 @@ process_accounting_rule() {
|
||||
rule="$rule -j $jumpchain"
|
||||
}
|
||||
|
||||
|
||||
case $source in
|
||||
*:*)
|
||||
accounting_interface_verify ${source%:*}
|
||||
@ -2735,19 +2745,50 @@ process_accounting_rule() {
|
||||
[ -n "$user" ] && case $user in
|
||||
-|any|all)
|
||||
;;
|
||||
*:*)
|
||||
[ "$chain" != OUTPUT ] && \
|
||||
fatal_error "Invalid use of a user/group: chain is not OUTPUT but $chain"
|
||||
rule="$rule -m owner"
|
||||
temp="${user%:*}"
|
||||
[ -n "$temp" ] && rule="$rule --uid-owner $temp "
|
||||
temp="${user#*:}"
|
||||
[ -n "$temp" ] && rule="$rule --gid-owner $temp "
|
||||
;;
|
||||
*)
|
||||
[ "$chain" != OUTPUT ] && \
|
||||
fatal_error "Invalid use of a user/group: chain is not OUTPUT but $chain"
|
||||
rule="$rule -m owner --uid-owner $user "
|
||||
rule="$rule -m owner"
|
||||
user1="$user"
|
||||
|
||||
case "$user" in
|
||||
!*/*)
|
||||
if [ "$user" != "!/" ]; then
|
||||
rule="$rule ! --cmd-owner ${user#*/} "
|
||||
user1=${user%/*}
|
||||
fi
|
||||
;;
|
||||
*/*)
|
||||
rule="$rule --cmd-owner ${user#*/} "
|
||||
user1=${user%/*}
|
||||
;;
|
||||
esac
|
||||
|
||||
case "$user1" in
|
||||
!*:*)
|
||||
if [ "$user1" != "!:" ]; then
|
||||
temp="${user1#!}"
|
||||
temp="${temp%:*}"
|
||||
[ -n "$temp" ] && rule="$rule ! --uid-owner $temp "
|
||||
temp="${user1#*:}"
|
||||
[ -n "$temp" ] && rule="$rule ! --gid-owner $temp "
|
||||
fi
|
||||
;;
|
||||
*:*)
|
||||
if [ "$user1" != ":" ]; then
|
||||
temp="${user1%:*}"
|
||||
[ -n "$temp" ] && rule="$rule --uid-owner $temp "
|
||||
temp="${user1#*:}"
|
||||
[ -n "$temp" ] && rule="$rule --gid-owner $temp "
|
||||
fi
|
||||
;;
|
||||
!*)
|
||||
[ "$user1" != "!" ] && rule="$rule ! --uid-owner ${user1#!} "
|
||||
;;
|
||||
*)
|
||||
[ -n "$user1" ] && rule="$rule --uid-owner $user1 "
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -3136,10 +3177,26 @@ process_action() # $1 = chain (Chain to add the rules to)
|
||||
[ "x$userspec" = "x-" ] && userspec=
|
||||
|
||||
if [ -n "$userspec" ]; then
|
||||
userandgroup="-m owner"
|
||||
|
||||
case "$userspec" in
|
||||
!*/*)
|
||||
if [ "$userspec" != "!/" ]; then
|
||||
userandgroup="$userandgroup ! --cmd-owner ${userspec#*/}"
|
||||
userspec=${userspec%/*}
|
||||
fi
|
||||
;;
|
||||
*/*)
|
||||
if [ "$userspec" != "/" ]; then
|
||||
userandgroup="$userandgroup --cmd-owner ${userspec#*/}"
|
||||
userspec=${userspec%/*}
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
case "$userspec" in
|
||||
!*:*)
|
||||
if [ "$userspec" != "!:" ]; then
|
||||
userandgroup="-m owner"
|
||||
temp="${userspec#!}"
|
||||
temp="${temp%:*}"
|
||||
[ -n "$temp" ] && userandgroup="$userandgroup ! --uid-owner $temp"
|
||||
@ -3149,7 +3206,6 @@ process_action() # $1 = chain (Chain to add the rules to)
|
||||
;;
|
||||
*:*)
|
||||
if [ "$userspec" != ":" ]; then
|
||||
userandgroup="-m owner"
|
||||
temp="${userspec%:*}"
|
||||
[ -n "$temp" ] && userandgroup="$userandgroup --uid-owner $temp"
|
||||
temp="${userspec#*:}"
|
||||
@ -3157,12 +3213,14 @@ process_action() # $1 = chain (Chain to add the rules to)
|
||||
fi
|
||||
;;
|
||||
!*)
|
||||
userandgroup="-m owner ! --uid-owner ${userspec#!}"
|
||||
[ "$userspec" != "!" ] && userandgroup="$userandgroup ! --uid-owner ${userspec#!}"
|
||||
;;
|
||||
*)
|
||||
userandgroup="-m owner --uid-owner $userspec"
|
||||
[ -n "$userspec" ] && userandgroup="$userandgroup --uid-owner $userspec"
|
||||
;;
|
||||
esac
|
||||
|
||||
[ "$userandgroup" = "-m owner" ] && userandgroup=
|
||||
fi
|
||||
|
||||
# Isolate log level
|
||||
@ -4105,7 +4163,7 @@ add_a_rule()
|
||||
|
||||
case "$logtarget" in
|
||||
ACCEPT|DROP|REJECT|CONTINUE)
|
||||
if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$userspec" ] ; then
|
||||
if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$userandgroup" ] ; then
|
||||
error_message "Warning -- Rule \"$rule\" is a POLICY"
|
||||
error_message " -- and should be moved to the policy file"
|
||||
fi
|
||||
@ -4295,10 +4353,27 @@ process_rule() # $1 = target
|
||||
[ "x$address" = "x-" ] && address=
|
||||
|
||||
if [ -n "$userspec" ]; then
|
||||
|
||||
userandgroup="-m owner"
|
||||
|
||||
case "$userspec" in
|
||||
!*/*)
|
||||
if [ "$userspec" != "!/" ]; then
|
||||
userandgroup="$userandgroup ! --cmd-owner ${userspec#*/}"
|
||||
userspec=${userspec%/*}
|
||||
fi
|
||||
;;
|
||||
*/*)
|
||||
if [ "$userspec" != "/" ]; then
|
||||
userandgroup="$userandgroup --cmd-owner ${userspec#*/}"
|
||||
userspec=${userspec%/*}
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
case "$userspec" in
|
||||
!*:*)
|
||||
if [ "$userspec" != "!:" ]; then
|
||||
userandgroup="-m owner"
|
||||
temp="${userspec#!}"
|
||||
temp="${temp%:*}"
|
||||
[ -n "$temp" ] && userandgroup="$userandgroup ! --uid-owner $temp"
|
||||
@ -4308,7 +4383,6 @@ process_rule() # $1 = target
|
||||
;;
|
||||
*:*)
|
||||
if [ "$userspec" != ":" ]; then
|
||||
userandgroup="-m owner"
|
||||
temp="${userspec%:*}"
|
||||
[ -n "$temp" ] && userandgroup="$userandgroup --uid-owner $temp"
|
||||
temp="${userspec#*:}"
|
||||
@ -4316,12 +4390,14 @@ process_rule() # $1 = target
|
||||
fi
|
||||
;;
|
||||
!*)
|
||||
userandgroup="-m owner ! --uid-owner ${userspec#!}"
|
||||
[ "$userspec" != "!" ] && userandgroup="$userandgroup ! --uid-owner ${userspec#!}"
|
||||
;;
|
||||
*)
|
||||
userandgroup="-m owner --uid-owner $userspec"
|
||||
[ -n "$userspec" ] && userandgroup="$userandgroup --uid-owner $userspec"
|
||||
;;
|
||||
esac
|
||||
|
||||
[ "$userandgroup" = "-m owner" ] && userandgroup=
|
||||
fi
|
||||
|
||||
case $target in
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -285,7 +285,7 @@
|
||||
#
|
||||
# The column may contain:
|
||||
#
|
||||
# [!][<user name or number>][:<group name or number>]
|
||||
# [!][<user name or number>][:<group name or number>][/<program name>]
|
||||
#
|
||||
# When this column is non-empty, the rule applies only
|
||||
# if the program generating the output is running under
|
||||
@ -299,6 +299,7 @@
|
||||
# #the 'kids' group
|
||||
# !:kids #program must not be run by a member
|
||||
# #of the 'kids' group
|
||||
# /upnpd #program named 'upnpd'
|
||||
#
|
||||
# Example: Accept SMTP requests from the DMZ to the internet
|
||||
#
|
||||
|
Loading…
Reference in New Issue
Block a user