On Jul 27 09:31 AM, Jan Sepp wrote: > Hello, > > I am creating a shell script that gathers PF statistics for my various > interfaces, as in pfctl -i <<if>> -vvsI . (Yes, I am aware of the > existence of rpfcd, but as I want to monitor only one local box and > write the output directly to console, that seems overkill to me.) I am > running OpenBSD 3.6 on a Soekris. > > This script should not run as root. If I run it as a non-privileged > user, I get an error. Basically, the problem is in the mode bits for > /dev/pf, which are crw-------, owner root. > > I googled around and found that Squid happily changes the group and > group mode bits on /dev/pf. Is that "safe", from a compatibility point > of view? And is it secure? Can I do it too? What would be the > implications (apart from being incompatible with squid, obviously)? > > What are the security implications if I go one step beyond that and make > /dev/pf world readable? I understand that all my users then can read the > rule set -- and good luck to them. Anything else? >
I just tried making a new pf device and changing permissions and it works ok for me. I assume that's why there is the -p switch to pfctl, so that you can have multiple device nodes. % sudo mknod /dev/pf2 c 73 0 % sudo chmod 555 /dev/pf2 % pfctl -srules -p /dev/pf2 < rules follow > % pfctl -srules pfctl: /dev/pf: Permission denied So maybe you can just make a copy of the device and chown it to the account that is running the script, and then use the -p switch to pfctl to use that device instead. Matt
