holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Rewrite handling of the USER/GROUP column

Browse Source 
- Remove code that handled '+program' as that support was removed from
  the kernel in 2.6.14.
This commit is contained in:
Tom Eastep 2012-06-19 08:14:31 -07:00
parent da3e1b720c
commit 4d336ed8d6
2 changed files with 24 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -4206,45 +4206,38 @@ sub do_user( $ ) {
require_capability 'OWNER_MATCH', 'A non-empty USER column', 's'; require_capability 'OWNER_MATCH', 'A non-empty USER column', 's';
if ( $user =~ /^(!)?(.*)\+(.*)$/ ) { assert ( $user =~ /^(!)?(.*?)(:(.*))?$/ );
$rule .= "! --cmd-owner $2 " if supplied $2;
$user = "!$1";
} elsif ( $user =~ /^(.*)\+(.*)$/ ) {
$rule .= "--cmd-owner $2 " if supplied $2;
$user = $1;
}
if ( $user =~ /^(!)?(.*):(.*)$/ ) {
my $invert = $1 ? '! ' : ''; my $invert = $1 ? '! ' : '';
my $group = defined $3 ? $3 : ''; my $group = supplied $4 ? $4 : '';
if ( supplied $2 ) { if ( supplied $2 ) {
$user = $2; $user = $2;
$user = resolve_id( $user, 'user' ) unless $user =~ /\d+(-\d+)?$/; if ( $user =~ /(\d+)(-(\d+))?$/ ) {
if ( supplied $2 ) {
fatal_error "Invalid User Range ($user)" unless $3 >= $1;
}
} else {
$user = resolve_id( $user, 'user' );
}
$rule .= "${invert}--uid-owner $user "; $rule .= "${invert}--uid-owner $user ";
} }
if ( $group ne '' ) { if ( $group ne '' ) {
$group = resolve_id( $group, 'group' ) unless $group =~ /^\d+(-\d+)?$/; if ( $group =~ /^(\d+)(-(\d+))?$/ ) {
$rule .= "${invert}--gid-owner $group "; if ( supplied $2 ) {
fatal_error "Invalid Group Range ($group)" unless $3 >= $1;
} }
} elsif ( $user =~ /^(!)?(.*)$/ ) {
my $invert = $1 ? '! ' : '';
$user = $2;
fatal_error "Invalid USER/GROUP (!)" if $user eq '';
$user = resolve_id ($user, 'user' ) unless $user =~ /\d+(-\d+)?$/;
$rule .= "${invert}--uid-owner $user ";
} else { } else {
$user = resolve_id( $user, 'user' ) unless $user =~ /\d+(-\d+)?$/; $group = resolve_id( $group, 'group' );
$rule .= "--uid-owner $user "; }
$rule .= "${invert}--gid-owner $group ";
} }
$rule; $rule;
} }
# #
# Create a "-m tos" match for the passed TOS # Create a "-m tos" match for the passed TOS
# #

16
Shorewall/manpages/shorewall-rules.xml
View File

@ -1084,8 +1084,7 @@
<varlistentry> <varlistentry>
<term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis <term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>]</term>
role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
<listitem> <listitem>
<para>This optional column may only be non-empty if the SOURCE is <para>This optional column may only be non-empty if the SOURCE is
@ -1124,19 +1123,6 @@
group</para> group</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>+upnpd</term>
<listitem>
<para>program named upnpd</para>
<important>
<para>The ability to specify a program name was removed from
Netfilter in kernel version 2.6.14.</para>
</important>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</listitem> </listitem>
</varlistentry> </varlistentry>