On Thu, Jan 16, 2020 at 12:30:07PM +0100, Alexandr Nedvedicky wrote: > On Wed, Jan 15, 2020 at 11:14:43PM -0700, Theo de Raadt wrote: > > What does 1234:12345 mean. It must be uid 1234 _and_ gid 12345? This is how I would interpret it, as that's existing semantic for ownership handling in chown(8) et al.
> according to my understanding 'user 1234:12345' matches > _all_ user IDs in range, which starts with 1234 and ends 12345. > The ranges are explained at paragraph, which discusses ports: This would be the logical consequence if user/group arithmetics were to be identical to port arithmetics in pf.conf(5), but they are not. > Ports and ranges of ports are specified using these operators: > > = (equal) > != (unequal) > < (less than) > <= (less than or equal) > > (greater than) > >= (greater than or equal) > : (range including boundaries) > >< (range excluding boundaries) > <> (except range) > > to define the precise check (must be uid 1234 _and_ gid 12345), > one has to go to something like this: > > pass out proto tcp all group 12345 user 1234 This is only syntax I'd want to consider for such a use case: With above things in mind, "1234:12345" reads ambiguous; is the intention to range fro user 1234 to user 12345, is it meant to say user 1234 and group 12345? Both forms are already possible with the existing syntax in very clear forms and I don't see any improvement in supporting the chown(8) like syntax. > Looks like Vadim found a bug and I'll take a look at the patch > he has sent. Where do you see a bug?
