Re: make /dev/pf world readable? CLOSED

[Jan Sepp]

Matt Provost wrote:


On Aug 04 05:21 PM, Artur Grabowski wrote:
 


Jan Sepp <[EMAIL PROTECTED]> writes:

   


The answer was surprisingly simple. I just had to create a second pf
device, chown it and make it read-only for the new owner, and I could get
my statistics. These are the actual commands:

soekris # mknod /dev/pf2 c 73 0
soekris # chown myUser /dev/pf2
soekris # chmod u-w /dev/pf2
soekris # ls -l /dev/pf2
cr--r--r--  1 myUser  wheel   73,   0 Aug  4 16:38 /dev/pf2
soekris # su - myUser
$ pfctl -p /dev/pf2 -i sis0 -vvsI
sis0(instance, attached)
   Cleared: Thu Aug  4 15:48:46 2005
   etc.
   etc.
 


If the idea is that the user isn't supposed to be able to write to the
device, it doesn't really work.

# mknod /dev/pf2 c 73 0
# chown art /dev/pf2
# chmod u-w /dev/pf2
# ls -l /dev/pf2
cr--r--r--  1 art  wheel   73,   0 Aug  4 17:19 /dev/pf2
# su - art
$ chmod u+w /dev/pf2
$ ^D
# ls -l /dev/pf2
crw-r--r--  1 art  wheel   73,   0 Aug  4 17:19 /dev/pf2
# rm /dev/pf2
# 

   



Right, you can use group permissions for that. Chown it to root:wheel,
chmod 740, then anyone in the wheel group can read it but can't delete
or chmod it. If you just need one user, make them have their own group
and do the same.

Matt

 

Well, not as CLOSED as I thought, obviously ;-)


Hope we've got all loopholes covered now.


Thanks once again!

Jan

Re: make /dev/pf world readable? CLOSED

[Matt Provost]

On Aug 04 05:21 PM, Artur Grabowski wrote:
> Jan Sepp <[EMAIL PROTECTED]> writes:
> 
> > The answer was surprisingly simple. I just had to create a second pf
> > device, chown it and make it read-only for the new owner, and I could get
> > my statistics. These are the actual commands:
> > 
> > soekris # mknod /dev/pf2 c 73 0
> > soekris # chown myUser /dev/pf2
> > soekris # chmod u-w /dev/pf2
> > soekris # ls -l /dev/pf2
> > cr--r--r--  1 myUser  wheel   73,   0 Aug  4 16:38 /dev/pf2
> > soekris # su - myUser
> > $ pfctl -p /dev/pf2 -i sis0 -vvsI
> > sis0(instance, attached)
> > Cleared: Thu Aug  4 15:48:46 2005
> > etc.
> > etc.
> 
> If the idea is that the user isn't supposed to be able to write to the
> device, it doesn't really work.
> 
> # mknod /dev/pf2 c 73 0
> # chown art /dev/pf2
> # chmod u-w /dev/pf2
> # ls -l /dev/pf2
> cr--r--r--  1 art  wheel   73,   0 Aug  4 17:19 /dev/pf2
> # su - art
> $ chmod u+w /dev/pf2
> $ ^D
> # ls -l /dev/pf2
> crw-r--r--  1 art  wheel   73,   0 Aug  4 17:19 /dev/pf2
> # rm /dev/pf2
> # 
> 

Right, you can use group permissions for that. Chown it to root:wheel,
chmod 740, then anyone in the wheel group can read it but can't delete
or chmod it. If you just need one user, make them have their own group
and do the same.

Matt

Re: make /dev/pf world readable? CLOSED

[Artur Grabowski]

Jan Sepp <[EMAIL PROTECTED]> writes:

> The answer was surprisingly simple. I just had to create a second pf
> device, chown it and make it read-only for the new owner, and I could get
> my statistics. These are the actual commands:
> 
> soekris # mknod /dev/pf2 c 73 0
> soekris # chown myUser /dev/pf2
> soekris # chmod u-w /dev/pf2
> soekris # ls -l /dev/pf2
> cr--r--r--  1 myUser  wheel   73,   0 Aug  4 16:38 /dev/pf2
> soekris # su - myUser
> $ pfctl -p /dev/pf2 -i sis0 -vvsI
> sis0(instance, attached)
> Cleared: Thu Aug  4 15:48:46 2005
> etc.
> etc.

If the idea is that the user isn't supposed to be able to write to the
device, it doesn't really work.

# mknod /dev/pf2 c 73 0
# chown art /dev/pf2
# chmod u-w /dev/pf2
# ls -l /dev/pf2
cr--r--r--  1 art  wheel   73,   0 Aug  4 17:19 /dev/pf2
# su - art
$ chmod u+w /dev/pf2
$ ^D
# ls -l /dev/pf2
crw-r--r--  1 art  wheel   73,   0 Aug  4 17:19 /dev/pf2
# rm /dev/pf2
# 

//art

make /dev/pf world readable? CLOSED

[Jan Sepp]

On Jul 27 09:31 AM, Jan Sepp wrote:

> Hello,
>
> I am creating a shell script that gathers PF statistics for my various
> interfaces, as in pfctl -i <>  -vvsI . (Yes, I am aware of the
> existence of rpfcd, but as I want to monitor only one local box and
> write the output directly to console, that seems overkill to me.)   I am
> running OpenBSD 3.6 on a Soekris.
>
> This script should not run as root. If I run it as a non-privileged
> user, I get an error. Basically, the problem is in the mode bits for
> /dev/pf,  which are crw---, owner root.
>
> [ Jan Sepp snipped here ]

The answer was surprisingly simple. I just had to create a second pf
device, chown it and make it read-only for the new owner, and I could get
my statistics. These are the actual commands:

soekris # mknod /dev/pf2 c 73 0
soekris # chown myUser /dev/pf2
soekris # chmod u-w /dev/pf2
soekris # ls -l /dev/pf2
cr--r--r--  1 myUser  wheel   73,   0 Aug  4 16:38 /dev/pf2
soekris # su - myUser
$ pfctl -p /dev/pf2 -i sis0 -vvsI
sis0(instance, attached)
   Cleared: Thu Aug  4 15:48:46 2005
   etc.
   etc.

Thank you all who answered my question and most notably Matt Provost,
who essentially wrote the answer down for me!

Jan Sepp

Re: make /dev/pf world readable?

[Matt Provost]

On Jul 27 09:31 AM, Jan Sepp wrote:
> Hello,
> 
> I am creating a shell script that gathers PF statistics for my various 
> interfaces, as in pfctl -i <>  -vvsI . (Yes, I am aware of the 
> existence of rpfcd, but as I want to monitor only one local box and 
> write the output directly to console, that seems overkill to me.)   I am 
> running OpenBSD 3.6 on a Soekris.
> 
> This script should not run as root. If I run it as a non-privileged 
> user, I get an error. Basically, the problem is in the mode bits for 
> /dev/pf,  which are crw---, owner root.
> 
> I googled around and found that Squid happily changes the group and 
> group mode bits on /dev/pf. Is that "safe", from a compatibility point 
> of view? And is it secure? Can I do it too? What would be the 
> implications (apart from being incompatible with squid, obviously)?
> 
> What are the security implications if I go one step beyond that and make 
> /dev/pf world readable? I understand that all my users then can read the 
> rule set -- and good luck to them. Anything else?
> 

I just tried making a new pf device and changing permissions and it
works ok for me. I assume that's why there is the -p switch to pfctl, so
that you can have multiple device nodes.

% sudo mknod /dev/pf2 c 73 0
% sudo chmod 555 /dev/pf2
% pfctl -srules -p /dev/pf2
< rules follow >
% pfctl -srules
pfctl: /dev/pf: Permission denied

So maybe you can just make a copy of the device and chown it to the
account that is running the script, and then use the -p switch to pfctl
to use that device instead.

Matt

Re: make /dev/pf world readable?

[Alexander Farber]

And/or you run "su username -c command" as root from 
its crontab, /etc/ppp/ppp.linkup, /etc/rc.local or wherever

2005/7/27, Lars Hansson <[EMAIL PROTECTED]>:
> On Wed, 27 Jul 2005 10:26:46 +0200
> Jan Sepp <[EMAIL PROTECTED]> wrote:
> 
> > Thanks, but that would require me to hard-code the password in my
> > script, so that will not work.
> 
> No it wouldnt. You can allow users to run commands with sudo without
> using passwords. man sudoers.

Re: make /dev/pf world readable?

[Lars Hansson]

On Wed, 27 Jul 2005 10:26:46 +0200
Jan Sepp <[EMAIL PROTECTED]> wrote:

> Thanks, but that would require me to hard-code the password in my 
> script, so that will not work.

No it wouldnt. You can allow users to run commands with sudo without
using passwords. man sudoers.

---
Lars Hansson

Re: make /dev/pf world readable?

[Jan Sepp]

Thanks, but that would require me to hard-code the password in my 
script, so that will not work.


Alexander Farber wrote:


I dunno if it's safe or not, but you could use "sudo" or "su username -c" there.

2005/7/27, Jan Sepp <[EMAIL PROTECTED]>:
 


This script should not run as root. If I run it as a non-privileged
user, I get an error. Basically, the problem is in the mode bits for
/dev/pf,  which are crw---, owner root.

Re: make /dev/pf world readable?

[Alexander Farber]

I dunno if it's safe or not, but you could use "sudo" or "su username -c" there.

2005/7/27, Jan Sepp <[EMAIL PROTECTED]>:
> This script should not run as root. If I run it as a non-privileged
> user, I get an error. Basically, the problem is in the mode bits for
> /dev/pf,  which are crw---, owner root.

make /dev/pf world readable?

[Jan Sepp]

Hello,

I am creating a shell script that gathers PF statistics for my various 
interfaces, as in pfctl -i <>  -vvsI . (Yes, I am aware of the 
existence of rpfcd, but as I want to monitor only one local box and 
write the output directly to console, that seems overkill to me.)   I am 
running OpenBSD 3.6 on a Soekris.


This script should not run as root. If I run it as a non-privileged 
user, I get an error. Basically, the problem is in the mode bits for 
/dev/pf,  which are crw---, owner root.


I googled around and found that Squid happily changes the group and 
group mode bits on /dev/pf. Is that "safe", from a compatibility point 
of view? And is it secure? Can I do it too? What would be the 
implications (apart from being incompatible with squid, obviously)?


What are the security implications if I go one step beyond that and make 
/dev/pf world readable? I understand that all my users then can read the 
rule set -- and good luck to them. Anything else?


TIA,

Jan Sepp