[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: /dev/pf perms and oidentd non-privileged

To: David Wollmann <dwollmann@puttybox.com>
Subject: Re: /dev/pf perms and oidentd non-privileged
From: Rukh <rukh@rukh.net>
Date: Fri, 26 Jul 2002 11:03:41 +1000 (EST)
Cc: tech@openbsd.org

As already pointed out, there is no problem in adding a new pf group and
changing to /dev/pf to root:pf and that's what I do on my gateway.
I've have different no login usernames for each of ftp-proxy, oidentd and
tircproxy and I've added each as members of my pf group.

Running oidentd in this way works fine.

However, as you're planning on using IRC and over NAT, you might also be
using tircproxy, which will allow your users to use "active" DCC. As
you're obviously trying to drop privledges, you should know that if you
don't run tircproxy as root, then as it stands, you won't be able to
return any ident values other than that of the username you're dropping
tircproxy privledges to. This still results in the ident challenge passing
of course, so this might not be a problem for you. If running tircproxy as
root, then this isn't an issue at all, though of course you're still
running as root ;)

Also, if using tircproxy, be aware that the tircproxy in 3.1-release won't
work in transparent mode with pf. This is fixed in -current however.

-- Rukh

On Thu, 25 Jul 2002, David Wollmann wrote:

> I need a NAT-compatible identd due to the fact that I'm on a cable
> network with a bad reputation for failing to smack down kiddies who
> abuse IRC servers.
>
> In the past I've used oidentd on a linux-based firewall to supply this
> service. Since I've switched to OpenBSD on the firewall, I'd like to use
> oidentd there, but when run oidentd is run with non-privileged uid/gid
> it returns 'ERROR : NO-USER' for all NAT'd requests. Looking at the
> oidentd source, I'm guessing this is due to the failed read/write open
> of /dev/pf when oidentd tries to service a NAT'd request.
>
> Unless I'm mistaken, /dev/pf must be owned root:wheel, so a special
> group and /dev/pf with group r/w perms is out of the question (please
> correct me if I'm wrong).
>
> Other than fixing the oidentd code, is there a reasonably safe
> workaround for this problem, or is there a "safer" identd that supports
> NAT?
>
> TIA,
>
> --
> David Wollmann
> ICQ: 10742063

Follow-Ups:
- Kernel update issue
  - From: "Edward W. Ray" <ewray_home@mmicman.com>

References:
- /dev/pf perms and oidentd non-privileged
  - From: David Wollmann <dwollmann@puttybox.com>

Prev by Date: Re: Enabling ftp-proxy without inetd
Next by Date: 100M空间=50元/年
Prev by thread: Re: /dev/pf perms and oidentd non-privileged
Next by thread: Kernel update issue
Index(es):
- Date
- Thread