Hello,
just to clarify the user and group match in pf.conf
On Wed, Jan 15, 2020 at 11:14:43PM -0700, Theo de Raadt wrote:
> I'll bite, using text from your regress.
>
> > +pass out proto tcp all user 1234:12345 flags S/SA
> > +pass out proto tcp all user 0:12345 flags S/SA
> > +pass out proto tcp all group 1234:12345 flags S/SA
> > +pass out proto tcp all group 0:12345 flags S/SA
>
> What does 1234:12345 mean. It must be uid 1234 _and_ gid 12345?
according to my understanding 'user 1234:12345' matches
_all_ user IDs in range, which starts with 1234 and ends 12345.
The ranges are explained at paragraph, which discusses ports:
Ports and ranges of ports are specified using these operators:
= (equal)
!= (unequal)
< (less than)
<= (less than or equal)
> (greater than)
>= (greater than or equal)
: (range including boundaries)
>< (range excluding boundaries)
<> (except range)
to define the precise check (must be uid 1234 _and_ gid 12345),
one has to go to something like this:
pass out proto tcp all group 12345 user 1234
Looks like Vadim found a bug and I'll take a look at the patch
he has sent.
regards
sashan
