From: Clinton Ebadi <clinton@unknownlamer.org>
Date: Sat, 13 Jul 2013 06:50:04 +0000 (-0400)
Subject: Check user exists before opening incoming ports
X-Git-Tag: release_20130720
X-Git-Url: https://git.hcoop.net/hcoop/domtool2.git/commitdiff_plain/787bd6a4c0e305649231f595647dab8dd35865f7?ds=sidebyside

Check user exists before opening incoming ports
* Although we can't limit who actually listens on the port, better to
  not open any ports for members who might be gone
---

diff --git a/src/plugins/firewall.sml b/src/plugins/firewall.sml
index a693642..5da168f 100644
--- a/src/plugins/firewall.sml
+++ b/src/plugins/firewall.sml
@@ -151,9 +151,13 @@ fun generateFirewallConfig rules =
 	    (* We can't match the user when listening; SELinux or
   	       similar would let us manage this with better
 	       granularity.*)
-	    (TextIO.output (users_tcp_in_conf, "proto tcp {\n");
-	     TextIO.output (users_tcp_in_conf, concat lines);
-	     TextIO.output (users_tcp_in_conf, "\n}\n\n"))
+	    let
+		val _ = SysWord.toInt (Posix.ProcEnv.uidToWord (Posix.SysDB.Passwd.uid (Posix.SysDB.getpwnam uname)))
+	    in
+		TextIO.output (users_tcp_in_conf, "proto tcp {\n");
+		TextIO.output (users_tcp_in_conf, concat lines);
+		TextIO.output (users_tcp_in_conf, "\n}\n\n")
+	    end handle OS.SysErr _ => print "Invalid user in firewall config, skipping.\n" (* no sense in opening ports for bad users *)		
 
 	fun writeUserOutRules (uname, lines) =
 	    let