Hello,
I am creating a shell script that gathers PF statistics for my various
interfaces, as in pfctl -i <<if>> -vvsI . (Yes, I am aware of the
existence of rpfcd, but as I want to monitor only one local box and
write the output directly to console, that seems overkill to me.) I am
running OpenBSD 3.6 on a Soekris.
This script should not run as root. If I run it as a non-privileged
user, I get an error. Basically, the problem is in the mode bits for
/dev/pf, which are crw-------, owner root.
I googled around and found that Squid happily changes the group and
group mode bits on /dev/pf. Is that "safe", from a compatibility point
of view? And is it secure? Can I do it too? What would be the
implications (apart from being incompatible with squid, obviously)?
What are the security implications if I go one step beyond that and make
/dev/pf world readable? I understand that all my users then can read the
rule set -- and good luck to them. Anything else?
TIA,
Jan Sepp
- make /dev/pf world readable? Jan Sepp
-
