Add support for --cmd-owner

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2078 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-05-03 21:33:09 +00:00 · 2005-05-03 21:33:09 +00:00 · 9fc88cfbd5
commit 9fc88cfbd5
parent d93215ccc3
6 changed files with 130 additions and 1328 deletions
--- a/Shorewall2/accounting
+++ b/Shorewall2/accounting
@ -69,7 +69,7 @@
 #			
 #			The column may contain:
 #
-#			   [!][<user name or number>][:<group name or number>]
+#			   [!][<user name or number>][:<group name or number>][/<program name>]
 #
 #			When this column is non-empty, the rule applies only
 #			if the program generating the output is running under
@ -83,6 +83,7 @@
 #					#the 'kids' group
 #				!:kids  #program must not be run by a member
 #					#of the 'kids' group
 #				/upnpd  #program named upnpd
 #
 #	In all of the above columns except ACTION and CHAIN, the values "-",
 #	"any" and "all" may be used as wildcards
--- a/Shorewall2/action.template
+++ b/Shorewall2/action.template
@ -146,7 +146,7 @@
 #			
 #			The column may contain:
 #
-#			   [!][<user name or number>][:<group name or number>]
+#			   [!][<user name or number>][:<group name or number>][/<program name>]
 #
 #			When this column is non-empty, the rule applies only
 #			if the program generating the output is running under
@ -160,6 +160,7 @@
 #					#the 'kids' group
 #				!:kids  #program must not be run by a member
 #					#of the 'kids' group
 #				/upnpd  #program named upnpd
 #
 ######################################################################################
 #TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE		USER/
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@ -1,290 +1,3 @@
-Changes in 2.2.4
+Changes in 2.3.0
-1) Added support for UPnP
+1) Implement support for --cmd-owner
 2) Add 'started' hook.
 3) Make an error message more self-explanatory
 4) Report Owner Match capability
 5) Add Paul Traina's patch to install.sh.
 6) Allow startup options to be overridden in /etc/sysconfig/shorewall
   or /etc/default/shorewall.
 7) Add support for SAME
 8) Add 'shorewall show capabilities'
 8) Add '-v' option
 9) Allow 'none' in /etc/shorewall/rules.
 10) Add error message for invalid HOST(S) column contents.
 11) Apply Christian Rodriguez's patch for Slackware install.
 Changes in 2.2.3
 1) Added the 'continue' extension script.
 2) Obey 'routestopped' rules during [re]start.
 3) MACLIST_TTL added.
 4) Fix ! in hosts file
 5) Add QUEUE policy.
 6) Fix routing output when advanced routing support not in kernel.
 Changes in 2.2.2
 1) The 'check' command disclaimer is toned down further and only
   appears once in the 'check' output.
 2) Enhanced support in the SOURCE column of /etc/shorewall/tcrules.
 3) All calls to 'clear' are now conditional on the output device being
   a terminal.
 4) Apply Juergen Kreileder's patch for logging.
 5) Add the output of 'arp -na' to the 'shorewall status' display.
 6) Provide support for the Extended multiport match available in
   2.6.11.
 7) Fix logging rule generation.
 8) Correct port numbers in action.AllowPCA.
 9) Fix installer's handling of action.* files.
 10) Implement RFC1918_STRICT
 11) Verify interface names in the DEST column of tcrules.
 Changes in 2.2.1
 1) Add examples to the zones and policy files.
 2) Simon Matter's patch for umask.
 Changes since 2.0.3
 1) Fix security vulnerability involving temporary files/directories.
 2) Hack security fix so that it works under Slackware.
 3) Correct mktempfile() for case where mktemp isn't installed.
 4) Implement 'dropInvalid' builtin action.
 5) Fix logging nat rules.
 6) Fix COMMAND typos.
 7) Add PKTTYPE option.
 8) Enhancements to /etc/shorewall/masq
 8) Allow overriding ADD_IP_ALIASES=Yes
 9) Fix syntax error in setup_nat()
 10) Port "shorewall status" changes from 2.0.7.
 11) All config files are now empty.
 12) Port blacklisting fix from 2.0.7
 13) Pass rule chain and display chain separately to log_rule_limit.
    Prep work for action logging.
 14) Show the iptables/ip/tc command that failed when failure is fatal.
 15) Implement STARTUP_ENABLED.
 16) Added DNAT ONLY column to /etc/shorewall/nat.
 17) Removed SNAT from ORIGINAL DESTINATION column.
 18) Removed DNAT ONLY column.
 19) Added IPSEC column to /etc/shorewall/masq.
 20) No longer enforce source port 500 for ISAKMP.
 21) Apply policy to interface/host options.
 22) Fix policy and maclist.
 23) Implement additional IPSEC options for zones and masq entries.
 24) Deprecate the -c option in /sbin/shorewall.
 25) Allow distinct input and output IPSEC parameters.
 26) Allow source port remapping in /etc/shorewall/masq.
 27) Include params file on 'restore'
 28) Apply Richard Musil's patch.
 29) Correct parsing of PROTO column in setup_tc1().
 30) Verify Physdev match if BRIDGING=Yes
 31) Don't NAT tunnel traffic.
 32) Fix shorewall.spec to run chkconfig/insserv after initial install.
 33) Add iprange support.
 34) Add CLASSIFY support.
 35) Fix iprange support so that ranges in both source and destination
    work.
 36) Remove logunclean and dropunclean
 37) Fixed proxy arp flag setting for complex configurations.
 38) Added RETAIN_ALIASES option.
 39) Relax OpenVPN source port restrictions.
 40) Implement DELAYBLACKLISTLOAD.
 41) Avoid double-setting proxy arp flags.
 42) Fix DELAYBLACKLISTLOAD=No.
 43) Merge 'brctl show' change from 2.0.9.
 44) Implememt LOGTAGONLY.
 45) Merge 'tcrules' clarification from 2.0.10.
 46) Implement 'sourceroute' interface option.
 47) Add 'AllowICMPs' action.
 48) Changed 'activate_rules' such that traffic from IPSEC hosts gets
    handled before traffic from non-IPSEC zones.
 49) Correct logmartians handling.
 50) Add a clarification and fix a typo in the blacklist file.
 51) Allow setting a specify MSS value.
 52) Detect duplicate zone names.
 53) Add mss=<number> option to the ipsec file.
 54) Added CONNMARK/ipp2p support.
 55) Added LOGALLNEW support.
 56) Fix typo in check_config()
 57) Allow outgoing NTP responses in action.AllowNTP.
 58) Clarification of the 'ipsec' hosts file option.
 59) Allow list in the SUBNET column of the rfc1918 file.
 60) Restore missing '#' in the rfc1918 file.
 61) Add note for Slackware users to INSTALL.
 62) Allow interface in DEST tcrules column.
 63) Remove 'ipt_unclean' from search expression in "log" commands.
 64) Remove nonsense from IPSEC description in masq file.
 65) Correct typo in rules file.
 66) Update bogons file.
 67) Add a rule for NNTPS to action.AllowNNTP
 68) Fix "shorewall add"
 69) Change CLIENT PORT(S) to SOURCE PORT(S) in tcrules file.
 70) Correct typo in shorewall.conf.
 71) Add the 'icmp_echo_ignore_all' file to the /proc display.
 72) Apply Tuomas Jormola's IPTABLES patch.
 73) Fixed some bugs in Tuomas's patch.
 74) Correct bug in "shorewall add"
 75) Correct bridge handling in "shorewall add" and "shorewall delete"
 76) Add "shorewall show zones"
 77) Remove dependency of "show zones" on dynamic zones.
 78) Implement variable expansion in INCLUDE directives
 79) More fixes for "shorewall delete" with bridging.
 80) Split restore-base into two files.
 81) Correct OUTPUT handling of dynamic zones.
 83) Add adapter statistics to the output of "shorewall status".
 84) Log drops due to policy rate limiting.
 85) Continue determining capabilities when fooX1234 already exists.
 86) Corrected typo in interfaces file.
 87) Add DROPINVALID option.
 88) Allow list of hosts in add and delete commands. Fix ipsec problem
    with "add" and "delete"
 89) Clarify add/delete syntax in /sbin/shorewall usage summary.
 90) Implement OpenVPN TCP support.
 91) Simplify the absurdly over-engineered code that restores the
    dynamic chain.
 92) Add OPENVPNPORT option.
 93) Remove OPENVPNPORT option and change default port to 1194.
 94) Avoid shell error during "shorewall stop/clear"
 95) Change encryption to blowfish in 'ipsecvpn' script.
 96) Correct rate limiting rule example.
 97) Fix <if>:: handling in setup_masq().
 98) Fix mis-leading typo in tunnels.
 99) Fix brain-dead ipsec option handling in setup_masq().
 100) Reconcile ipsec masq file implementation with the documentation.
 101) Add netfilter module display to status output.
 102) Add 'allowInvalid' builtin action.
 103) Expand range of Traceroute ports.
 102) Correct uninitialized variable in setup_ecn()
 103) Allow DHCP to be IPSEC-encrypted.
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -2405,16 +2405,24 @@ process_tc_rule()
 	    [ "$chain" != tcout ] && \
 		fatal_error "Invalid use of a user/group: rule \"$rule\""
 	    r="$r-m owner"
 	    case "$user" in
 		*/*)
 		    r="$r --cmd-owner ${user#*/}"
 		    user=${user%/*}
 		    ;;
 	    esac
 	    case "$user" in
 		*:*)
 		    r="$r-m owner"
 		    temp="${user%:*}"
 		    [ -n "$temp" ] && r="$r --uid-owner $temp " 
 		    temp="${user#*:}"
 		    [ -n "$temp" ] && r="$r --gid-owner $temp "
 		    ;;
 		*)
-		    r="$r-m owner --uid-owner $user "
+		    r="$r--uid-owner $user "
 		    ;;
 	    esac
 	fi
@ -2646,6 +2654,7 @@ process_accounting_rule() {
    rule=
    rule2=
    jumpchain=
    user1=
    accounting_error() {
 	error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport $user
@ -2670,6 +2679,7 @@ process_accounting_rule() {
 	rule="$rule -j $jumpchain"
    }
    case $source in
 	*:*)
 	    accounting_interface_verify ${source%:*}
@ -2735,19 +2745,50 @@ process_accounting_rule() {
    [ -n "$user" ] && case $user in
 	-|any|all)
 	    ;;
 	*:*)
 	    [ "$chain" != OUTPUT ] && \
 		fatal_error "Invalid use of a user/group: chain is not OUTPUT but $chain"
 	    rule="$rule -m owner"
 	    temp="${user%:*}"
 	    [ -n "$temp" ] && rule="$rule --uid-owner $temp " 
 	    temp="${user#*:}"
 	    [ -n "$temp" ] && rule="$rule --gid-owner $temp "
 	    ;;
 	*)
 	    [ "$chain" != OUTPUT ] && \
 		fatal_error "Invalid use of a user/group: chain is not OUTPUT but $chain"
-	    rule="$rule -m owner --uid-owner $user "
+	    rule="$rule -m owner"
 	    user1="$user"
 	    case "$user" in
 		!*/*)
 		    if [ "$user" != "!/" ]; then
 			rule="$rule ! --cmd-owner ${user#*/} "
 			user1=${user%/*}
 		    fi
 		    ;;		
 		*/*)
 		    rule="$rule --cmd-owner ${user#*/} "
 		    user1=${user%/*}
 		    ;;
 	    esac
 	    case "$user1" in
 		!*:*)
 		    if [ "$user1" != "!:" ]; then
 			temp="${user1#!}"
 			temp="${temp%:*}"
 			[ -n "$temp" ] && rule="$rule ! --uid-owner $temp " 
 			temp="${user1#*:}"
 			[ -n "$temp" ] && rule="$rule ! --gid-owner $temp "
 		    fi
 		    ;;
 		*:*)
 		    if [ "$user1" != ":" ]; then
 			temp="${user1%:*}"
 			[ -n "$temp" ] && rule="$rule --uid-owner $temp " 
 			temp="${user1#*:}"
 			[ -n "$temp" ] && rule="$rule --gid-owner $temp "
 		    fi
 		    ;;
 		!*)
 		    [ "$user1" != "!" ] && rule="$rule ! --uid-owner ${user1#!} "
 		    ;;
 		*)
 		    [ -n "$user1" ] && rule="$rule --uid-owner $user1 "
 		    ;;
 	    esac
 	    ;;
    esac
@ -3136,10 +3177,26 @@ process_action() # $1 = chain    (Chain to add the rules to)
    [ "x$userspec" = "x-" ] && userspec=
    if [ -n "$userspec" ]; then
 	userandgroup="-m owner"
 	case "$userspec" in
 	    !*/*)
 		if [ "$userspec" != "!/" ]; then
 		    userandgroup="$userandgroup ! --cmd-owner ${userspec#*/}"
 		    userspec=${userspec%/*}
 		fi
 		;;		
 	    */*)
 		if [ "$userspec" != "/" ]; then
 		    userandgroup="$userandgroup --cmd-owner ${userspec#*/}"
 		    userspec=${userspec%/*}
 		fi
 		;;
 	esac
 	case "$userspec" in
 	    !*:*)
 		if [ "$userspec" != "!:" ]; then
 		    userandgroup="-m owner"
 		    temp="${userspec#!}"
 		    temp="${temp%:*}"
 		    [ -n "$temp" ] && userandgroup="$userandgroup ! --uid-owner $temp" 
@ -3149,7 +3206,6 @@ process_action() # $1 = chain    (Chain to add the rules to)
 		;;
 	    *:*)
 		if [ "$userspec" != ":" ]; then
 		    userandgroup="-m owner"
 		    temp="${userspec%:*}"
 		    [ -n "$temp" ] && userandgroup="$userandgroup --uid-owner $temp" 
 		    temp="${userspec#*:}"
@ -3157,12 +3213,14 @@ process_action() # $1 = chain    (Chain to add the rules to)
 		fi 
 		;;
 	    !*)
-		userandgroup="-m owner ! --uid-owner ${userspec#!}"
+		[ "$userspec" != "!" ] && userandgroup="$userandgroup ! --uid-owner ${userspec#!}"
 		;;
 	    *)
-		userandgroup="-m owner --uid-owner $userspec"
+		[ -n "$userspec" ] && userandgroup="$userandgroup --uid-owner $userspec"
 		;;
 	esac
 	[ "$userandgroup" = "-m owner" ] && userandgroup=
    fi
    # Isolate log level
@ -4105,7 +4163,7 @@ add_a_rule()
    case "$logtarget" in
 	ACCEPT|DROP|REJECT|CONTINUE)	
-	    if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$userspec" ] ; then
+	    if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$userandgroup" ] ; then
 		error_message "Warning -- Rule \"$rule\" is a POLICY"
 		error_message "	       -- and should be moved to the policy file"
 	    fi
@ -4295,10 +4353,27 @@ process_rule() # $1 = target
    [ "x$address" = "x-" ] && address=
    if [ -n "$userspec" ]; then
 	userandgroup="-m owner"
 	case "$userspec" in
 	    !*/*)
 		if [ "$userspec" != "!/" ]; then
 		    userandgroup="$userandgroup ! --cmd-owner ${userspec#*/}"
 		    userspec=${userspec%/*}
 		fi
 		;;		
 	    */*)
 		if [ "$userspec" != "/" ]; then
 		    userandgroup="$userandgroup --cmd-owner ${userspec#*/}"
 		    userspec=${userspec%/*}
 		fi
 		;;
 	esac
 	case "$userspec" in
 	    !*:*)
 		if [ "$userspec" != "!:" ]; then
 		    userandgroup="-m owner"
 		    temp="${userspec#!}"
 		    temp="${temp%:*}"
 		    [ -n "$temp" ] && userandgroup="$userandgroup ! --uid-owner $temp" 
@ -4308,7 +4383,6 @@ process_rule() # $1 = target
 		;;
 	    *:*)
 		if [ "$userspec" != ":" ]; then
 		    userandgroup="-m owner"
 		    temp="${userspec%:*}"
 		    [ -n "$temp" ] && userandgroup="$userandgroup --uid-owner $temp" 
 		    temp="${userspec#*:}"
@ -4316,12 +4390,14 @@ process_rule() # $1 = target
 		fi 
 		;;
 	    !*)
-		userandgroup="-m owner ! --uid-owner ${userspec#!}"
+		[ "$userspec" != "!" ] && userandgroup="$userandgroup ! --uid-owner ${userspec#!}"
 		;;
 	    *)
-		userandgroup="-m owner --uid-owner $userspec"
+		[ -n "$userspec" ] && userandgroup="$userandgroup --uid-owner $userspec"
 		;;
 	esac
 	[ "$userandgroup" = "-m owner" ] && userandgroup=
    fi
    case $target in
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
--- a/Shorewall2/rules
+++ b/Shorewall2/rules
@ -285,7 +285,7 @@
 #			
 #			The column may contain:
 #
-#			   [!][<user name or number>][:<group name or number>]
+#			   [!][<user name or number>][:<group name or number>][/<program name>]
 #
 #			When this column is non-empty, the rule applies only
 #			if the program generating the output is running under
@ -299,6 +299,7 @@
 #					#the 'kids' group
 #				!:kids  #program must not be run by a member
 #					#of the 'kids' group
 #				/upnpd  #program named 'upnpd'
 #
 #	Example: Accept SMTP requests from the DMZ to the internet
 #