make /dev/pf world readable? CLOSED
On Jul 27 09:31 AM, Jan Sepp wrote: Hello, I am creating a shell script that gathers PF statistics for my various interfaces, as in pfctl -i if -vvsI . (Yes, I am aware of the existence of rpfcd, but as I want to monitor only one local box and write the output directly to console, that seems overkill to me.) I am running OpenBSD 3.6 on a Soekris. This script should not run as root. If I run it as a non-privileged user, I get an error. Basically, the problem is in the mode bits for /dev/pf, which are crw---, owner root. [ Jan Sepp snipped here ] The answer was surprisingly simple. I just had to create a second pf device, chown it and make it read-only for the new owner, and I could get my statistics. These are the actual commands: soekris # mknod /dev/pf2 c 73 0 soekris # chown myUser /dev/pf2 soekris # chmod u-w /dev/pf2 soekris # ls -l /dev/pf2 cr--r--r-- 1 myUser wheel 73, 0 Aug 4 16:38 /dev/pf2 soekris # su - myUser $ pfctl -p /dev/pf2 -i sis0 -vvsI sis0(instance, attached) Cleared: Thu Aug 4 15:48:46 2005 etc. etc. Thank you all who answered my question and most notably Matt Provost, who essentially wrote the answer down for me! Jan Sepp
Re: make /dev/pf world readable? CLOSED
Matt Provost wrote: On Aug 04 05:21 PM, Artur Grabowski wrote: Jan Sepp [EMAIL PROTECTED] writes: The answer was surprisingly simple. I just had to create a second pf device, chown it and make it read-only for the new owner, and I could get my statistics. These are the actual commands: soekris # mknod /dev/pf2 c 73 0 soekris # chown myUser /dev/pf2 soekris # chmod u-w /dev/pf2 soekris # ls -l /dev/pf2 cr--r--r-- 1 myUser wheel 73, 0 Aug 4 16:38 /dev/pf2 soekris # su - myUser $ pfctl -p /dev/pf2 -i sis0 -vvsI sis0(instance, attached) Cleared: Thu Aug 4 15:48:46 2005 etc. etc. If the idea is that the user isn't supposed to be able to write to the device, it doesn't really work. # mknod /dev/pf2 c 73 0 # chown art /dev/pf2 # chmod u-w /dev/pf2 # ls -l /dev/pf2 cr--r--r-- 1 art wheel 73, 0 Aug 4 17:19 /dev/pf2 # su - art $ chmod u+w /dev/pf2 $ ^D # ls -l /dev/pf2 crw-r--r-- 1 art wheel 73, 0 Aug 4 17:19 /dev/pf2 # rm /dev/pf2 # Right, you can use group permissions for that. Chown it to root:wheel, chmod 740, then anyone in the wheel group can read it but can't delete or chmod it. If you just need one user, make them have their own group and do the same. Matt Well, not as CLOSED as I thought, obviously ;-) Hope we've got all loopholes covered now. Thanks once again! Jan
make /dev/pf world readable?
Hello, I am creating a shell script that gathers PF statistics for my various interfaces, as in pfctl -i if -vvsI . (Yes, I am aware of the existence of rpfcd, but as I want to monitor only one local box and write the output directly to console, that seems overkill to me.) I am running OpenBSD 3.6 on a Soekris. This script should not run as root. If I run it as a non-privileged user, I get an error. Basically, the problem is in the mode bits for /dev/pf, which are crw---, owner root. I googled around and found that Squid happily changes the group and group mode bits on /dev/pf. Is that safe, from a compatibility point of view? And is it secure? Can I do it too? What would be the implications (apart from being incompatible with squid, obviously)? What are the security implications if I go one step beyond that and make /dev/pf world readable? I understand that all my users then can read the rule set -- and good luck to them. Anything else? TIA, Jan Sepp
Re: make /dev/pf world readable?
Thanks, but that would require me to hard-code the password in my script, so that will not work. Alexander Farber wrote: I dunno if it's safe or not, but you could use sudo or su username -c there. 2005/7/27, Jan Sepp [EMAIL PROTECTED]: This script should not run as root. If I run it as a non-privileged user, I get an error. Basically, the problem is in the mode bits for /dev/pf, which are crw---, owner root.