4  * Copyright (C) 1998 - 2007 Bob Beck (beck@openbsd.org).
39 #include <grp.h>
61 char	rulesetname[MAXPATHLEN - PF_ANCHOR_NAME_SIZE - 2];
66 int	pidfd = -1;
101 	if (strcmp(__progname, "-authpf-noip") == 0)  in main()
111 		syslog(LOG_ERR, "non-interactive session connection for authpf");  in main()
150 	if ((lc = login_getclass(pw->pw_class)) != NULL)  in main()
151 		shell = login_getcapstr(lc, "shell", pw->pw_shell,  in main()
152 		    pw->pw_shell);  in main()
154 		shell = pw->pw_shell;  in main()
163 		    pw->pw_name, pw->pw_uid);  in main()
167 		if (shell != pw->pw_shell)  in main()
176 	if (shell != pw->pw_shell)  in main()
184 	if (strlcpy(luser, pw->pw_name, sizeof(luser)) >= sizeof(luser)) {  in main()
185 		syslog(LOG_ERR, "username too long: %s", pw->pw_name);  in main()
219 	 * wants to switch users - so kill the old process and exit  in main()
233 		int	save_errno, otherpid = -1;  in main()
236 		if ((pidfd = open(pidfile, O_RDWR|O_CREAT, 0644)) == -1 ||  in main()
238 			if (pidfd != -1)  in main()
252 		/* 31 == MAXLOGNAME - 1 */  in main()
254 			otherpid = -1;  in main()
262 			if (kill((pid_t) otherpid, SIGTERM) == -1) {  in main()
280 			pidfd = -1;  in main()
285 		/* re-open, and try again. The previous authpf process  in main()
291 		pidfd = -1;  in main()
296 	if (setgroups(1, &gid) == -1) {  in main()
303 	if (setresuid(uid, uid, uid) == -1) {  in main()
330 	if (change_filter(1, luser, ipsrc) == -1) {  in main()
334 	if (user_ip && change_table(1, ipsrc) == -1) {  in main()
386 		if (buf[len - 1] != '\n' && !feof(f)) {  in read_config()
391 		buf[len - 1] = '\0';  in read_config()
409 			*tp-- = '\0';  in read_config()
433  * splatter a file to stdout - max line length of 1024,
510 			if (buf[len - 1] == '\n')  in allowed_luser()
511 				buf[len - 1] = '\0';  in allowed_luser()
522 				if (strcmp(pw->pw_class, buf + 1) == 0)  in allowed_luser()
538 					(void) getgrouplist(pw->pw_name,  in allowed_luser()
539 					    pw->pw_gid, groups, &ngroups);  in allowed_luser()
544 					if (group->gr_gid == groups[cnt]) {  in allowed_luser()
551 				matched = strcmp(pw->pw_name, buf) == 0 ||  in allowed_luser()
564 		    pw->pw_name, PATH_ALLOWFILE);  in allowed_luser()
580  * do to get un-banned, or just to tell them they aren't
581  * going to be un-banned.)
615 		 * luser is banned - spit the file at them to  in check_luser()
622 		strlcpy(tmp, "\n\n-**- Sorry, you have been banned! -**-\n\n",  in check_luser()
661 		prs.nr = nr - 1;  in remove_stale_rulesets()
677 		nr--;  in remove_stale_rulesets()
698 	t->size = PF_RULESET_MAX+1;  in recursive_ruleset_purge()
699 	t->esize = sizeof(struct pfioc_trans_e);  in recursive_ruleset_purge()
700 	t->array = t_e;  in recursive_ruleset_purge()
714 	snprintf(prs->path, sizeof(prs->path), "%s/%s", an, rs);  in recursive_ruleset_purge()
720 		int nr = prs->nr;  in recursive_ruleset_purge()
723 			prs->nr = 0;  in recursive_ruleset_purge()
727 			if (recursive_ruleset_purge(prs->path, prs->name))  in recursive_ruleset_purge()
729 			nr--;  in recursive_ruleset_purge()
759 			"pfctl", "-p", "/dev/pf", "-q", "-a", "anchor/ruleset",  in change_filter()
760 			"-D", "user_id=X", "-D", "user_ip=X", "-f", "file", NULL  in change_filter()
768 		if (asprintf(&rsn, "%s/%s", anchorname, rulesetname) == -1)  in change_filter()
770 		if (asprintf(&fdpath, "/dev/fd/%d", pfctl_fd(pfh)) == -1)  in change_filter()
772 		if (asprintf(&ipstr, "user_ip=%s", ip_src) == -1)  in change_filter()
774 		if (asprintf(&userstr, "user_id=%s", l_user) == -1)  in change_filter()
777 		    PATH_USER_DIR, l_user) == -1)  in change_filter()
779 		if (stat(fn, &sb) == -1) {  in change_filter()
791 			pargv[8] = "-f";  in change_filter()
797 		case -1:  in change_filter()
803 			if (setregid(gid, gid) == -1) {  in change_filter()
824 		syslog(LOG_INFO, "removed %s, user %s - duration %ju seconds",  in change_filter()
825 		    ip_src, l_user, (uintmax_t)(Tend.tv_sec - Tstart.tv_sec));  in change_filter()
836 	return (-1);  in change_filter()
853 		return (-1);  in change_table()
862 		return (-1);  in change_table()
875 		return (-1);  in change_table()
938 do_death(int active)  in do_death()  argument
942 	if (active) {  in do_death()
949 	if (pidfile[0] && pidfd != -1)  in do_death()
950 		if (unlink(pidfile) == -1)  in do_death()