Re: make /dev/pf world readable? CLOSED
Matt Provost wrote: On Aug 04 05:21 PM, Artur Grabowski wrote: Jan Sepp <[EMAIL PROTECTED]> writes: The answer was surprisingly simple. I just had to create a second pf device, chown it and make it read-only for the new owner, and I could get my statistics. These are the actual commands: soekris # mknod /dev/pf2 c 73 0 soekris # chown myUser /dev/pf2 soekris # chmod u-w /dev/pf2 soekris # ls -l /dev/pf2 cr--r--r-- 1 myUser wheel 73, 0 Aug 4 16:38 /dev/pf2 soekris # su - myUser $ pfctl -p /dev/pf2 -i sis0 -vvsI sis0(instance, attached) Cleared: Thu Aug 4 15:48:46 2005 etc. etc. If the idea is that the user isn't supposed to be able to write to the device, it doesn't really work. # mknod /dev/pf2 c 73 0 # chown art /dev/pf2 # chmod u-w /dev/pf2 # ls -l /dev/pf2 cr--r--r-- 1 art wheel 73, 0 Aug 4 17:19 /dev/pf2 # su - art $ chmod u+w /dev/pf2 $ ^D # ls -l /dev/pf2 crw-r--r-- 1 art wheel 73, 0 Aug 4 17:19 /dev/pf2 # rm /dev/pf2 # Right, you can use group permissions for that. Chown it to root:wheel, chmod 740, then anyone in the wheel group can read it but can't delete or chmod it. If you just need one user, make them have their own group and do the same. Matt Well, not as CLOSED as I thought, obviously ;-) Hope we've got all loopholes covered now. Thanks once again! Jan
Re: make /dev/pf world readable? CLOSED
On Aug 04 05:21 PM, Artur Grabowski wrote: > Jan Sepp <[EMAIL PROTECTED]> writes: > > > The answer was surprisingly simple. I just had to create a second pf > > device, chown it and make it read-only for the new owner, and I could get > > my statistics. These are the actual commands: > > > > soekris # mknod /dev/pf2 c 73 0 > > soekris # chown myUser /dev/pf2 > > soekris # chmod u-w /dev/pf2 > > soekris # ls -l /dev/pf2 > > cr--r--r-- 1 myUser wheel 73, 0 Aug 4 16:38 /dev/pf2 > > soekris # su - myUser > > $ pfctl -p /dev/pf2 -i sis0 -vvsI > > sis0(instance, attached) > > Cleared: Thu Aug 4 15:48:46 2005 > > etc. > > etc. > > If the idea is that the user isn't supposed to be able to write to the > device, it doesn't really work. > > # mknod /dev/pf2 c 73 0 > # chown art /dev/pf2 > # chmod u-w /dev/pf2 > # ls -l /dev/pf2 > cr--r--r-- 1 art wheel 73, 0 Aug 4 17:19 /dev/pf2 > # su - art > $ chmod u+w /dev/pf2 > $ ^D > # ls -l /dev/pf2 > crw-r--r-- 1 art wheel 73, 0 Aug 4 17:19 /dev/pf2 > # rm /dev/pf2 > # > Right, you can use group permissions for that. Chown it to root:wheel, chmod 740, then anyone in the wheel group can read it but can't delete or chmod it. If you just need one user, make them have their own group and do the same. Matt
Re: make /dev/pf world readable? CLOSED
Jan Sepp <[EMAIL PROTECTED]> writes: > The answer was surprisingly simple. I just had to create a second pf > device, chown it and make it read-only for the new owner, and I could get > my statistics. These are the actual commands: > > soekris # mknod /dev/pf2 c 73 0 > soekris # chown myUser /dev/pf2 > soekris # chmod u-w /dev/pf2 > soekris # ls -l /dev/pf2 > cr--r--r-- 1 myUser wheel 73, 0 Aug 4 16:38 /dev/pf2 > soekris # su - myUser > $ pfctl -p /dev/pf2 -i sis0 -vvsI > sis0(instance, attached) > Cleared: Thu Aug 4 15:48:46 2005 > etc. > etc. If the idea is that the user isn't supposed to be able to write to the device, it doesn't really work. # mknod /dev/pf2 c 73 0 # chown art /dev/pf2 # chmod u-w /dev/pf2 # ls -l /dev/pf2 cr--r--r-- 1 art wheel 73, 0 Aug 4 17:19 /dev/pf2 # su - art $ chmod u+w /dev/pf2 $ ^D # ls -l /dev/pf2 crw-r--r-- 1 art wheel 73, 0 Aug 4 17:19 /dev/pf2 # rm /dev/pf2 # //art
make /dev/pf world readable? CLOSED
On Jul 27 09:31 AM, Jan Sepp wrote: > Hello, > > I am creating a shell script that gathers PF statistics for my various > interfaces, as in pfctl -i <> -vvsI . (Yes, I am aware of the > existence of rpfcd, but as I want to monitor only one local box and > write the output directly to console, that seems overkill to me.) I am > running OpenBSD 3.6 on a Soekris. > > This script should not run as root. If I run it as a non-privileged > user, I get an error. Basically, the problem is in the mode bits for > /dev/pf, which are crw---, owner root. > > [ Jan Sepp snipped here ] The answer was surprisingly simple. I just had to create a second pf device, chown it and make it read-only for the new owner, and I could get my statistics. These are the actual commands: soekris # mknod /dev/pf2 c 73 0 soekris # chown myUser /dev/pf2 soekris # chmod u-w /dev/pf2 soekris # ls -l /dev/pf2 cr--r--r-- 1 myUser wheel 73, 0 Aug 4 16:38 /dev/pf2 soekris # su - myUser $ pfctl -p /dev/pf2 -i sis0 -vvsI sis0(instance, attached) Cleared: Thu Aug 4 15:48:46 2005 etc. etc. Thank you all who answered my question and most notably Matt Provost, who essentially wrote the answer down for me! Jan Sepp
Re: make /dev/pf world readable?
On Jul 27 09:31 AM, Jan Sepp wrote: > Hello, > > I am creating a shell script that gathers PF statistics for my various > interfaces, as in pfctl -i <> -vvsI . (Yes, I am aware of the > existence of rpfcd, but as I want to monitor only one local box and > write the output directly to console, that seems overkill to me.) I am > running OpenBSD 3.6 on a Soekris. > > This script should not run as root. If I run it as a non-privileged > user, I get an error. Basically, the problem is in the mode bits for > /dev/pf, which are crw---, owner root. > > I googled around and found that Squid happily changes the group and > group mode bits on /dev/pf. Is that "safe", from a compatibility point > of view? And is it secure? Can I do it too? What would be the > implications (apart from being incompatible with squid, obviously)? > > What are the security implications if I go one step beyond that and make > /dev/pf world readable? I understand that all my users then can read the > rule set -- and good luck to them. Anything else? > I just tried making a new pf device and changing permissions and it works ok for me. I assume that's why there is the -p switch to pfctl, so that you can have multiple device nodes. % sudo mknod /dev/pf2 c 73 0 % sudo chmod 555 /dev/pf2 % pfctl -srules -p /dev/pf2 < rules follow > % pfctl -srules pfctl: /dev/pf: Permission denied So maybe you can just make a copy of the device and chown it to the account that is running the script, and then use the -p switch to pfctl to use that device instead. Matt
Re: make /dev/pf world readable?
And/or you run "su username -c command" as root from its crontab, /etc/ppp/ppp.linkup, /etc/rc.local or wherever 2005/7/27, Lars Hansson <[EMAIL PROTECTED]>: > On Wed, 27 Jul 2005 10:26:46 +0200 > Jan Sepp <[EMAIL PROTECTED]> wrote: > > > Thanks, but that would require me to hard-code the password in my > > script, so that will not work. > > No it wouldnt. You can allow users to run commands with sudo without > using passwords. man sudoers.
Re: make /dev/pf world readable?
On Wed, 27 Jul 2005 10:26:46 +0200 Jan Sepp <[EMAIL PROTECTED]> wrote: > Thanks, but that would require me to hard-code the password in my > script, so that will not work. No it wouldnt. You can allow users to run commands with sudo without using passwords. man sudoers. --- Lars Hansson
Re: make /dev/pf world readable?
Thanks, but that would require me to hard-code the password in my script, so that will not work. Alexander Farber wrote: I dunno if it's safe or not, but you could use "sudo" or "su username -c" there. 2005/7/27, Jan Sepp <[EMAIL PROTECTED]>: This script should not run as root. If I run it as a non-privileged user, I get an error. Basically, the problem is in the mode bits for /dev/pf, which are crw---, owner root.
Re: make /dev/pf world readable?
I dunno if it's safe or not, but you could use "sudo" or "su username -c" there. 2005/7/27, Jan Sepp <[EMAIL PROTECTED]>: > This script should not run as root. If I run it as a non-privileged > user, I get an error. Basically, the problem is in the mode bits for > /dev/pf, which are crw---, owner root.
make /dev/pf world readable?
Hello, I am creating a shell script that gathers PF statistics for my various interfaces, as in pfctl -i <> -vvsI . (Yes, I am aware of the existence of rpfcd, but as I want to monitor only one local box and write the output directly to console, that seems overkill to me.) I am running OpenBSD 3.6 on a Soekris. This script should not run as root. If I run it as a non-privileged user, I get an error. Basically, the problem is in the mode bits for /dev/pf, which are crw---, owner root. I googled around and found that Squid happily changes the group and group mode bits on /dev/pf. Is that "safe", from a compatibility point of view? And is it secure? Can I do it too? What would be the implications (apart from being incompatible with squid, obviously)? What are the security implications if I go one step beyond that and make /dev/pf world readable? I understand that all my users then can read the rule set -- and good luck to them. Anything else? TIA, Jan Sepp