Re: (Perhaps?) dumb pf question relating to tables
On Wed, Nov 10, 2010 at 01:45:16PM +0100, Tor Houghton wrote: May I ask whether or not per user ownership (or permission to update) a table is/will be possible? I am pondering the best mechanism for a non-root process to add/remove addresses to a table. You can look at sysutils/tabled in ports, which provides this functionality (permissions would be controlled by the filesystem permissions on the fifo) I don't think we'll be making /dev/pf accessible by non-root processes any time soon.
Re: (Perhaps?) dumb pf question relating to tables
On Thu, Nov 11, 2010 at 05:32:27PM +0900, Ryan McBride wrote: On Wed, Nov 10, 2010 at 01:45:16PM +0100, Tor Houghton wrote: May I ask whether or not per user ownership (or permission to update) a table is/will be possible? I am pondering the best mechanism for a non-root process to add/remove addresses to a table. You can look at sysutils/tabled in ports, which provides this functionality (permissions would be controlled by the filesystem permissions on the fifo) I don't think we'll be making /dev/pf accessible by non-root processes any time soon. This looks exactly like what I need. Thank you! Kind regards, Tor
Re: (Perhaps?) dumb pf question relating to tables
On Thu, 11 Nov 2010, Tor Houghton wrote: From: Tor Houghton t...@bogus.net To: Ryan McBride mcbr...@openbsd.org Cc: misc@openbsd.org Date: Thu, 11 Nov 2010 11:06:25 Subject: Re: (Perhaps?) dumb pf question relating to tables X-Spam-Score: 0.0 (/) On Thu, Nov 11, 2010 at 05:32:27PM +0900, Ryan McBride wrote: On Wed, Nov 10, 2010 at 01:45:16PM +0100, Tor Houghton wrote: May I ask whether or not per user ownership (or permission to update) a table is/will be possible? I am pondering the best mechanism for a non-root process to add/remove addresses to a table. You can look at sysutils/tabled in ports, which provides this functionality (permissions would be controlled by the filesystem permissions on the fifo) I don't think we'll be making /dev/pf accessible by non-root processes any time soon. This looks exactly like what I need. You could also used pftabled from: http://www.wolfermann.org/pftabled.html although it's mainly intended for keeping table(s) in step across co-operating hosts. Access is controlled by knowing a HMAC-SHA1 keyed hash. Make this small change to get it to build on OpenBSD4.8: --- Makefile.in.origWed Feb 4 11:09:33 2009 +++ Makefile.in Thu Nov 11 11:28:31 2010 @@ -27,7 +27,7 @@ ${CC} ${LDFLAGS} -o $@ ${SERVEROBJS} ${LIBS} pftabled.cat1: pftabled.1 - nroff -Tascii -man pftabled.1 pftabled.cat1 + mandoc -Tascii -mandoc pftabled.1 pftabled.cat1 pftabled-client: ${CLIENTOBJS} ${CC} ${LDFLAGS} -o $@ ${CLIENTOBJS} ${LIBS} -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK d.h.da...@bath.ac.uk Phone: +44 1225 386101
Re: (Perhaps?) dumb pf question relating to tables
On Wed, Nov 10, 2010 at 01:45:16PM +0100, Tor Houghton wrote: Hello, May I ask whether or not per user ownership (or permission to update) a table is/will be possible? I am pondering the best mechanism for a non-root process to add/remove addresses to a table. Privilege separation. Kind regards, Tor
Re: (Perhaps?) dumb pf question relating to tables
On Wed, Nov 10, 2010 at 13:45, Tor Houghton t...@bogus.net wrote: Hello, May I ask whether or not per user ownership (or permission to update) a table is/will be possible? I am pondering the best mechanism for a non-root process to add/remove addresses to a table. Kind regards, Tor You might be interested in having a look at authpf(8) eventually?