mac_seeotheruids.4 (115211) | mac_seeotheruids.4 (115643) |
---|---|
1.\" Copyright (c) 2002 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Laboratories, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. --- 14 unchanged lines hidden (view full) --- 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" | 1.\" Copyright (c) 2002 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Laboratories, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. --- 14 unchanged lines hidden (view full) --- 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" |
31.\" $FreeBSD: head/share/man/man4/mac_seeotheruids.4 115211 2003-05-21 15:55:40Z ru $ 32.Dd DECEMBER 8, 2002 | 31.\" $FreeBSD: head/share/man/man4/mac_seeotheruids.4 115643 2003-06-01 21:52:59Z ru $ 32.\" 33.Dd December 8, 2002 |
33.Os 34.Dt MAC_SEEOTHERUIDS 4 35.Sh NAME 36.Nm mac_seeotheruids | 34.Os 35.Dt MAC_SEEOTHERUIDS 4 36.Sh NAME 37.Nm mac_seeotheruids |
37.Nd simple policy controlling whether users see other users | 38.Nd "simple policy controlling whether users see other users" |
38.Sh SYNOPSIS | 39.Sh SYNOPSIS |
39To compile the mac_seeotheruids | 40To compile the |
40policy into your kernel, place the following lines in your kernel 41configuration file: | 41policy into your kernel, place the following lines in your kernel 42configuration file: |
43.Bd -ragged -offset indent |
|
42.Cd "options MAC" 43.Cd "options MAC_SEEOTHERUIDS" | 44.Cd "options MAC" 45.Cd "options MAC_SEEOTHERUIDS" |
46.Ed |
|
44.Pp 45Alternately, to load the module at boot time, place the following line 46in your kernel configuration file: | 47.Pp 48Alternately, to load the module at boot time, place the following line 49in your kernel configuration file: |
50.Bd -ragged -offset indent |
|
47.Cd "options MAC" | 51.Cd "options MAC" |
52.Ed |
|
48.Pp 49and in 50.Xr loader.conf.5 : | 53.Pp 54and in 55.Xr loader.conf.5 : |
51.Cd mac_seeotheruids_load= Ns \&"YES" | 56.Bd -literal -offset indent 57mac_seeotheruids_load="YES" 58.Ed |
52.Sh DESCRIPTION 53The 54.Nm 55policy module, when enabled, denies users to see processes or sockets owned 56by other users. 57.Pp 58To enable 59.Nm , 60set the sysctl OID 61.Va security.mac.seeotheruids.enabled | 59.Sh DESCRIPTION 60The 61.Nm 62policy module, when enabled, denies users to see processes or sockets owned 63by other users. 64.Pp 65To enable 66.Nm , 67set the sysctl OID 68.Va security.mac.seeotheruids.enabled |
62to 63.Li 1 . | 69to 1. |
64.Pp 65To allow users to see processes and sockets owned by the same primary group, 66set the sysctl OID 67.Va security.mac.seeotheruids.primarygroup_enabled | 70.Pp 71To allow users to see processes and sockets owned by the same primary group, 72set the sysctl OID 73.Va security.mac.seeotheruids.primarygroup_enabled |
68to 69.Li 1 . | 74to 1. |
70.Pp 71To allow processes with a specific group ID to be exempt from the policy, 72set the sysctl OID 73.Va security.mac.seeotheruids.specificgid_enabled | 75.Pp 76To allow processes with a specific group ID to be exempt from the policy, 77set the sysctl OID 78.Va security.mac.seeotheruids.specificgid_enabled |
74to 75.Li 1 , 76and | 79to 1, and |
77.Va security.mac.seeotheruids.specificgid | 80.Va security.mac.seeotheruids.specificgid |
78to the gid to be exempted. | 81to the group ID to be exempted. |
79.Ss Label Format 80No labels are defined for 81.Nm . 82.Sh SEE ALSO 83.Xr mac 4 , 84.Xr mac_biba 4 , 85.Xr mac_bsdextended 4 , 86.Xr mac_ifoff 4 , 87.Xr mac_lomac 4 , 88.Xr mac_mls 4 , | 82.Ss Label Format 83No labels are defined for 84.Nm . 85.Sh SEE ALSO 86.Xr mac 4 , 87.Xr mac_biba 4 , 88.Xr mac_bsdextended 4 , 89.Xr mac_ifoff 4 , 90.Xr mac_lomac 4 , 91.Xr mac_mls 4 , |
92.Xr mac_none 4 , |
|
89.Xr mac_partition 4 , 90.Xr mac_portacl 4 , | 93.Xr mac_partition 4 , 94.Xr mac_portacl 4 , |
91.Xr mac_none 4 , | |
92.Xr mac_test 4 , 93.Xr mac 9 94.Sh HISTORY 95The 96.Nm 97policy module first appeared in 98.Fx 5.0 | 95.Xr mac_test 4 , 96.Xr mac 9 97.Sh HISTORY 98The 99.Nm 100policy module first appeared in 101.Fx 5.0 |
99and was developed by the TrustedBSD Project. | 102and was developed by the 103.Tn TrustedBSD 104Project. |
100.Sh AUTHORS 101This software was contributed to the 102.Fx 103Project by Network Associates Labs, 104the Security Research Division of Network Associates | 105.Sh AUTHORS 106This software was contributed to the 107.Fx 108Project by Network Associates Labs, 109the Security Research Division of Network Associates |
105Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), | 110Inc. under DARPA/SPAWAR contract N66001-01-C-8035 111.Pq Dq CBOSS , |
106as part of the DARPA CHATS research program. 107.Sh BUGS 108See 109.Xr mac 9 110concerning appropriateness for production use. | 112as part of the DARPA CHATS research program. 113.Sh BUGS 114See 115.Xr mac 9 116concerning appropriateness for production use. |
111The TrustedBSD MAC Framework is considered experimental in | 117The 118.Tn TrustedBSD 119MAC Framework is considered experimental in |
112.Fx . 113.Pp 114While the MAC Framework design is intended to support the containment of 115the root user, not all attack channels are currently protected by entry 116point checks. 117As such, MAC Framework policies should not be relied on, in isolation, 118to protect against a malicious privileged user. | 120.Fx . 121.Pp 122While the MAC Framework design is intended to support the containment of 123the root user, not all attack channels are currently protected by entry 124point checks. 125As such, MAC Framework policies should not be relied on, in isolation, 126to protect against a malicious privileged user. |