Add support for --cmd-owner

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2078 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-05-03 21:33:09 +00:00
parent d93215ccc3
commit 9fc88cfbd5
6 changed files with 130 additions and 1328 deletions

View File

@ -69,7 +69,7 @@
#
# The column may contain:
#
# [!][<user name or number>][:<group name or number>]
# [!][<user name or number>][:<group name or number>][/<program name>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
@ -83,6 +83,7 @@
# #the 'kids' group
# !:kids #program must not be run by a member
# #of the 'kids' group
# /upnpd #program named upnpd
#
# In all of the above columns except ACTION and CHAIN, the values "-",
# "any" and "all" may be used as wildcards

View File

@ -146,7 +146,7 @@
#
# The column may contain:
#
# [!][<user name or number>][:<group name or number>]
# [!][<user name or number>][:<group name or number>][/<program name>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
@ -160,6 +160,7 @@
# #the 'kids' group
# !:kids #program must not be run by a member
# #of the 'kids' group
# /upnpd #program named upnpd
#
######################################################################################
#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/

View File

@ -1,290 +1,3 @@
Changes in 2.2.4
Changes in 2.3.0
1) Added support for UPnP
2) Add 'started' hook.
3) Make an error message more self-explanatory
4) Report Owner Match capability
5) Add Paul Traina's patch to install.sh.
6) Allow startup options to be overridden in /etc/sysconfig/shorewall
or /etc/default/shorewall.
7) Add support for SAME
8) Add 'shorewall show capabilities'
8) Add '-v' option
9) Allow 'none' in /etc/shorewall/rules.
10) Add error message for invalid HOST(S) column contents.
11) Apply Christian Rodriguez's patch for Slackware install.
Changes in 2.2.3
1) Added the 'continue' extension script.
2) Obey 'routestopped' rules during [re]start.
3) MACLIST_TTL added.
4) Fix ! in hosts file
5) Add QUEUE policy.
6) Fix routing output when advanced routing support not in kernel.
Changes in 2.2.2
1) The 'check' command disclaimer is toned down further and only
appears once in the 'check' output.
2) Enhanced support in the SOURCE column of /etc/shorewall/tcrules.
3) All calls to 'clear' are now conditional on the output device being
a terminal.
4) Apply Juergen Kreileder's patch for logging.
5) Add the output of 'arp -na' to the 'shorewall status' display.
6) Provide support for the Extended multiport match available in
2.6.11.
7) Fix logging rule generation.
8) Correct port numbers in action.AllowPCA.
9) Fix installer's handling of action.* files.
10) Implement RFC1918_STRICT
11) Verify interface names in the DEST column of tcrules.
Changes in 2.2.1
1) Add examples to the zones and policy files.
2) Simon Matter's patch for umask.
Changes since 2.0.3
1) Fix security vulnerability involving temporary files/directories.
2) Hack security fix so that it works under Slackware.
3) Correct mktempfile() for case where mktemp isn't installed.
4) Implement 'dropInvalid' builtin action.
5) Fix logging nat rules.
6) Fix COMMAND typos.
7) Add PKTTYPE option.
8) Enhancements to /etc/shorewall/masq
8) Allow overriding ADD_IP_ALIASES=Yes
9) Fix syntax error in setup_nat()
10) Port "shorewall status" changes from 2.0.7.
11) All config files are now empty.
12) Port blacklisting fix from 2.0.7
13) Pass rule chain and display chain separately to log_rule_limit.
Prep work for action logging.
14) Show the iptables/ip/tc command that failed when failure is fatal.
15) Implement STARTUP_ENABLED.
16) Added DNAT ONLY column to /etc/shorewall/nat.
17) Removed SNAT from ORIGINAL DESTINATION column.
18) Removed DNAT ONLY column.
19) Added IPSEC column to /etc/shorewall/masq.
20) No longer enforce source port 500 for ISAKMP.
21) Apply policy to interface/host options.
22) Fix policy and maclist.
23) Implement additional IPSEC options for zones and masq entries.
24) Deprecate the -c option in /sbin/shorewall.
25) Allow distinct input and output IPSEC parameters.
26) Allow source port remapping in /etc/shorewall/masq.
27) Include params file on 'restore'
28) Apply Richard Musil's patch.
29) Correct parsing of PROTO column in setup_tc1().
30) Verify Physdev match if BRIDGING=Yes
31) Don't NAT tunnel traffic.
32) Fix shorewall.spec to run chkconfig/insserv after initial install.
33) Add iprange support.
34) Add CLASSIFY support.
35) Fix iprange support so that ranges in both source and destination
work.
36) Remove logunclean and dropunclean
37) Fixed proxy arp flag setting for complex configurations.
38) Added RETAIN_ALIASES option.
39) Relax OpenVPN source port restrictions.
40) Implement DELAYBLACKLISTLOAD.
41) Avoid double-setting proxy arp flags.
42) Fix DELAYBLACKLISTLOAD=No.
43) Merge 'brctl show' change from 2.0.9.
44) Implememt LOGTAGONLY.
45) Merge 'tcrules' clarification from 2.0.10.
46) Implement 'sourceroute' interface option.
47) Add 'AllowICMPs' action.
48) Changed 'activate_rules' such that traffic from IPSEC hosts gets
handled before traffic from non-IPSEC zones.
49) Correct logmartians handling.
50) Add a clarification and fix a typo in the blacklist file.
51) Allow setting a specify MSS value.
52) Detect duplicate zone names.
53) Add mss=<number> option to the ipsec file.
54) Added CONNMARK/ipp2p support.
55) Added LOGALLNEW support.
56) Fix typo in check_config()
57) Allow outgoing NTP responses in action.AllowNTP.
58) Clarification of the 'ipsec' hosts file option.
59) Allow list in the SUBNET column of the rfc1918 file.
60) Restore missing '#' in the rfc1918 file.
61) Add note for Slackware users to INSTALL.
62) Allow interface in DEST tcrules column.
63) Remove 'ipt_unclean' from search expression in "log" commands.
64) Remove nonsense from IPSEC description in masq file.
65) Correct typo in rules file.
66) Update bogons file.
67) Add a rule for NNTPS to action.AllowNNTP
68) Fix "shorewall add"
69) Change CLIENT PORT(S) to SOURCE PORT(S) in tcrules file.
70) Correct typo in shorewall.conf.
71) Add the 'icmp_echo_ignore_all' file to the /proc display.
72) Apply Tuomas Jormola's IPTABLES patch.
73) Fixed some bugs in Tuomas's patch.
74) Correct bug in "shorewall add"
75) Correct bridge handling in "shorewall add" and "shorewall delete"
76) Add "shorewall show zones"
77) Remove dependency of "show zones" on dynamic zones.
78) Implement variable expansion in INCLUDE directives
79) More fixes for "shorewall delete" with bridging.
80) Split restore-base into two files.
81) Correct OUTPUT handling of dynamic zones.
83) Add adapter statistics to the output of "shorewall status".
84) Log drops due to policy rate limiting.
85) Continue determining capabilities when fooX1234 already exists.
86) Corrected typo in interfaces file.
87) Add DROPINVALID option.
88) Allow list of hosts in add and delete commands. Fix ipsec problem
with "add" and "delete"
89) Clarify add/delete syntax in /sbin/shorewall usage summary.
90) Implement OpenVPN TCP support.
91) Simplify the absurdly over-engineered code that restores the
dynamic chain.
92) Add OPENVPNPORT option.
93) Remove OPENVPNPORT option and change default port to 1194.
94) Avoid shell error during "shorewall stop/clear"
95) Change encryption to blowfish in 'ipsecvpn' script.
96) Correct rate limiting rule example.
97) Fix <if>:: handling in setup_masq().
98) Fix mis-leading typo in tunnels.
99) Fix brain-dead ipsec option handling in setup_masq().
100) Reconcile ipsec masq file implementation with the documentation.
101) Add netfilter module display to status output.
102) Add 'allowInvalid' builtin action.
103) Expand range of Traceroute ports.
102) Correct uninitialized variable in setup_ecn()
103) Allow DHCP to be IPSEC-encrypted.
1) Implement support for --cmd-owner

View File

@ -2405,16 +2405,24 @@ process_tc_rule()
[ "$chain" != tcout ] && \
fatal_error "Invalid use of a user/group: rule \"$rule\""
r="$r-m owner"
case "$user" in
*/*)
r="$r --cmd-owner ${user#*/}"
user=${user%/*}
;;
esac
case "$user" in
*:*)
r="$r-m owner"
temp="${user%:*}"
[ -n "$temp" ] && r="$r --uid-owner $temp "
temp="${user#*:}"
[ -n "$temp" ] && r="$r --gid-owner $temp "
;;
*)
r="$r-m owner --uid-owner $user "
r="$r--uid-owner $user "
;;
esac
fi
@ -2646,6 +2654,7 @@ process_accounting_rule() {
rule=
rule2=
jumpchain=
user1=
accounting_error() {
error_message "Warning: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport $user
@ -2670,6 +2679,7 @@ process_accounting_rule() {
rule="$rule -j $jumpchain"
}
case $source in
*:*)
accounting_interface_verify ${source%:*}
@ -2735,19 +2745,50 @@ process_accounting_rule() {
[ -n "$user" ] && case $user in
-|any|all)
;;
*:*)
[ "$chain" != OUTPUT ] && \
fatal_error "Invalid use of a user/group: chain is not OUTPUT but $chain"
rule="$rule -m owner"
temp="${user%:*}"
[ -n "$temp" ] && rule="$rule --uid-owner $temp "
temp="${user#*:}"
[ -n "$temp" ] && rule="$rule --gid-owner $temp "
;;
*)
[ "$chain" != OUTPUT ] && \
fatal_error "Invalid use of a user/group: chain is not OUTPUT but $chain"
rule="$rule -m owner --uid-owner $user "
rule="$rule -m owner"
user1="$user"
case "$user" in
!*/*)
if [ "$user" != "!/" ]; then
rule="$rule ! --cmd-owner ${user#*/} "
user1=${user%/*}
fi
;;
*/*)
rule="$rule --cmd-owner ${user#*/} "
user1=${user%/*}
;;
esac
case "$user1" in
!*:*)
if [ "$user1" != "!:" ]; then
temp="${user1#!}"
temp="${temp%:*}"
[ -n "$temp" ] && rule="$rule ! --uid-owner $temp "
temp="${user1#*:}"
[ -n "$temp" ] && rule="$rule ! --gid-owner $temp "
fi
;;
*:*)
if [ "$user1" != ":" ]; then
temp="${user1%:*}"
[ -n "$temp" ] && rule="$rule --uid-owner $temp "
temp="${user1#*:}"
[ -n "$temp" ] && rule="$rule --gid-owner $temp "
fi
;;
!*)
[ "$user1" != "!" ] && rule="$rule ! --uid-owner ${user1#!} "
;;
*)
[ -n "$user1" ] && rule="$rule --uid-owner $user1 "
;;
esac
;;
esac
@ -3136,10 +3177,26 @@ process_action() # $1 = chain (Chain to add the rules to)
[ "x$userspec" = "x-" ] && userspec=
if [ -n "$userspec" ]; then
userandgroup="-m owner"
case "$userspec" in
!*/*)
if [ "$userspec" != "!/" ]; then
userandgroup="$userandgroup ! --cmd-owner ${userspec#*/}"
userspec=${userspec%/*}
fi
;;
*/*)
if [ "$userspec" != "/" ]; then
userandgroup="$userandgroup --cmd-owner ${userspec#*/}"
userspec=${userspec%/*}
fi
;;
esac
case "$userspec" in
!*:*)
if [ "$userspec" != "!:" ]; then
userandgroup="-m owner"
temp="${userspec#!}"
temp="${temp%:*}"
[ -n "$temp" ] && userandgroup="$userandgroup ! --uid-owner $temp"
@ -3149,7 +3206,6 @@ process_action() # $1 = chain (Chain to add the rules to)
;;
*:*)
if [ "$userspec" != ":" ]; then
userandgroup="-m owner"
temp="${userspec%:*}"
[ -n "$temp" ] && userandgroup="$userandgroup --uid-owner $temp"
temp="${userspec#*:}"
@ -3157,12 +3213,14 @@ process_action() # $1 = chain (Chain to add the rules to)
fi
;;
!*)
userandgroup="-m owner ! --uid-owner ${userspec#!}"
[ "$userspec" != "!" ] && userandgroup="$userandgroup ! --uid-owner ${userspec#!}"
;;
*)
userandgroup="-m owner --uid-owner $userspec"
[ -n "$userspec" ] && userandgroup="$userandgroup --uid-owner $userspec"
;;
esac
[ "$userandgroup" = "-m owner" ] && userandgroup=
fi
# Isolate log level
@ -4105,7 +4163,7 @@ add_a_rule()
case "$logtarget" in
ACCEPT|DROP|REJECT|CONTINUE)
if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$userspec" ] ; then
if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$userandgroup" ] ; then
error_message "Warning -- Rule \"$rule\" is a POLICY"
error_message " -- and should be moved to the policy file"
fi
@ -4295,10 +4353,27 @@ process_rule() # $1 = target
[ "x$address" = "x-" ] && address=
if [ -n "$userspec" ]; then
userandgroup="-m owner"
case "$userspec" in
!*/*)
if [ "$userspec" != "!/" ]; then
userandgroup="$userandgroup ! --cmd-owner ${userspec#*/}"
userspec=${userspec%/*}
fi
;;
*/*)
if [ "$userspec" != "/" ]; then
userandgroup="$userandgroup --cmd-owner ${userspec#*/}"
userspec=${userspec%/*}
fi
;;
esac
case "$userspec" in
!*:*)
if [ "$userspec" != "!:" ]; then
userandgroup="-m owner"
temp="${userspec#!}"
temp="${temp%:*}"
[ -n "$temp" ] && userandgroup="$userandgroup ! --uid-owner $temp"
@ -4308,7 +4383,6 @@ process_rule() # $1 = target
;;
*:*)
if [ "$userspec" != ":" ]; then
userandgroup="-m owner"
temp="${userspec%:*}"
[ -n "$temp" ] && userandgroup="$userandgroup --uid-owner $temp"
temp="${userspec#*:}"
@ -4316,12 +4390,14 @@ process_rule() # $1 = target
fi
;;
!*)
userandgroup="-m owner ! --uid-owner ${userspec#!}"
[ "$userspec" != "!" ] && userandgroup="$userandgroup ! --uid-owner ${userspec#!}"
;;
*)
userandgroup="-m owner --uid-owner $userspec"
[ -n "$userspec" ] && userandgroup="$userandgroup --uid-owner $userspec"
;;
esac
[ "$userandgroup" = "-m owner" ] && userandgroup=
fi
case $target in

File diff suppressed because it is too large Load Diff

View File

@ -285,7 +285,7 @@
#
# The column may contain:
#
# [!][<user name or number>][:<group name or number>]
# [!][<user name or number>][:<group name or number>][/<program name>]
#
# When this column is non-empty, the rule applies only
# if the program generating the output is running under
@ -299,6 +299,7 @@
# #the 'kids' group
# !:kids #program must not be run by a member
# #of the 'kids' group
# /upnpd #program named 'upnpd'
#
# Example: Accept SMTP requests from the DMZ to the internet
#