From 787bd6a4c0e305649231f595647dab8dd35865f7 Mon Sep 17 00:00:00 2001 From: Clinton Ebadi Date: Sat, 13 Jul 2013 02:50:04 -0400 Subject: [PATCH] Check user exists before opening incoming ports * Although we can't limit who actually listens on the port, better to not open any ports for members who might be gone --- src/plugins/firewall.sml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/plugins/firewall.sml b/src/plugins/firewall.sml index a693642..5da168f 100644 --- a/src/plugins/firewall.sml +++ b/src/plugins/firewall.sml @@ -151,9 +151,13 @@ fun generateFirewallConfig rules = (* We can't match the user when listening; SELinux or similar would let us manage this with better granularity.*) - (TextIO.output (users_tcp_in_conf, "proto tcp {\n"); - TextIO.output (users_tcp_in_conf, concat lines); - TextIO.output (users_tcp_in_conf, "\n}\n\n")) + let + val _ = SysWord.toInt (Posix.ProcEnv.uidToWord (Posix.SysDB.Passwd.uid (Posix.SysDB.getpwnam uname))) + in + TextIO.output (users_tcp_in_conf, "proto tcp {\n"); + TextIO.output (users_tcp_in_conf, concat lines); + TextIO.output (users_tcp_in_conf, "\n}\n\n") + end handle OS.SysErr _ => print "Invalid user in firewall config, skipping.\n" (* no sense in opening ports for bad users *) fun writeUserOutRules (uname, lines) = let -- 2.20.1