Running authpf on modern FreeBSD

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Running authpf on modern FreeBSD

Matthew Grooms
Hi Everyone,

Is authpf supported on freebsd these days? It's included in the base
distribution, so I'd assume so. I tried to follow the man page and some
older howto's online, but didn't have much luck. It would appear that
the binary is installed with the setuid bit set in the filesystem ...

# ls -la /usr/sbin/authpf
-r-sr-sr-x  2 root  authpf  24424 Sep 26  2019 /usr/sbin/authpf

... As far as I can tell, support for that isn't enabled in the generic
kernel as enabling the feature on the mount command doesn't show setuid
as an enabled option ...

# mount
/dev/gpt/rootfs on / (ufs, local, soft-updates)

There's no mention of this requirement in the authpf man page, but there
is a reference to mount(8) in the chmod(2) man page. The mount man page
suggests a custom kernel may be required for the suiddir option, but
it's not clear if that's required for suid operation. Pretty confusing.

When I try to test the authpf binary directly under truss, it hits a
bunch of errors that would suggest it needs root permissions. I can hack
around some of them, but eventually get stuck on ...

$ truss -s128 /usr/sbin/authpf
...
socket(PF_LOCAL,SOCK_DGRAM|SOCK_CLOEXEC,0)       = 6 (0x6)
connect(6,{ AF_UNIX "/var/run/logpriv" },106)    ERR#13 'Permission denied'
connect(6,{ AF_UNIX "/var/run/log" },106)        = 0 (0x0)
sendto(6,"<14>Nov 16 10:24:01 authpf: setgroups: Operation not
permitted",62,0,NULL,0) = 62 (0x3e)

The setgroups(2) man page states that "Only the super-user may set a new
group list". Any suggestions?

Thanks,

-Matthew

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[hidden email]"