diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index 90d341f024e6..6110c5dcf3a0 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -468,6 +468,9 @@ performance_throttle_state="HIGH" # Online throttling state economy_cx_lowest="LOW" # Offline CPU idle state economy_throttle_state="HIGH" # Offline throttling state virecover_enable="YES" # Perform housekeeping for the vi(1) editor +ugidfw_enable="NO" # Load mac_bsdextended(1) rules on boot +bsdextended_script="/etc/rc.bsdextended" # Default mac_bsdextended(4) + # ruleset file. ############################################################## ### Jail Configuration ####################################### diff --git a/etc/rc.bsdextended b/etc/rc.bsdextended new file mode 100644 index 000000000000..69ecd545cf23 --- /dev/null +++ b/etc/rc.bsdextended @@ -0,0 +1,158 @@ +#!/bin/sh +# +# Copyright (c) 2004 Tom Rhodes +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ +# + +#### +# Sample startup policy for the mac_bsdextended(4) security module. +# +# Suck in the system configuration variables. +#### +if [ -z "${source_rc_confs_defined}" ]; then + if [ -r /etc/defaults/rc.conf ]; then + . /etc/defaults/rc.conf + source_rc_confs + elif [ -r /etc/rc.conf ]; then + . /etc/rc.conf + fi +fi + +#### +# Set ugidfw(8) to CMD: +#### +CMD=/usr/sbin/ugidfw + +#### +# WARNING: recommended reading is the handbook's MAC +# chapter and the ugidfw(8) +# manual page. You can lock yourself out of the system +# very quickly by setting incorrect values here. +#### + +#### +# Set the value of 'x' to system users. This would be nice but it +# does not get the \n proper. Work around is used below. +#x=`awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' /etc/passwd`; +#l=`awk -F: '($3 >= 1001) && ($3 != 65534) { print $3 }' /etc/passwd`; +#### + +#### +# Build a generic list of rules here, these should be +# modified before using this script. +# ugidfw add 1 subject uid USER1 object uid USER2 mode n +# ugidfw add 2 subject gid USER1 object gid USER2 mode n +# +# For apache to read user files, the ruleadd must give +# it permissions by default. +#### +${CMD} add subject uid 80 object not uid 80 mode rxws; +${CMD} add subject gid 80 object not gid 80 mode rxws; + +#### +# majordomo compat: +#${CMD} add subject uid 54 object not uid 54 mode rxws; +${CMD} add subject gid 26 object gid 54 mode rxws; + +#### +# This is for root: +${CMD} add subject uid 0 object not uid 0 mode arxws; +${CMD} add subject gid 0 object not gid 0 mode arxws; + +#### +# And for mailnull: +${CMD} add subject uid 26 object not uid 26 mode rxws; +${CMD} add subject gid 26 object not gid 26 mode rxws; + +#### +# And for majordomo: +${CMD} add subject uid 54 object not uid 54 mode rxws; +${CMD} add subject gid 54 object not gid 54 mode rxws; + +#### +# And for bin: +${CMD} add subject uid 3 object not uid 3 mode rxws; +${CMD} add subject gid 7 object not gid 7 mode rxws; + +#### +# And for mail/pop: +${CMD} add subject uid 68 object not uid 68 mode rxws; +${CMD} add subject gid 6 object not gid 6 mode arxws; + +#### +# And for smmsp: +${CMD} add subject uid 25 object not uid 25 mode rxws; +${CMD} add subject gid 25 object not gid 25 mode rxws; + +#### +# And for mailnull: +${CMD} add subject uid 26 object not uid 26 mode rxws; +${CMD} add subject gid 26 object not gid 26 mode rxws; + +#### +# For cyrus: +${CMD} add subject uid 60 object not uid 60 mode rxws; +${CMD} add subject gid 60 object not gid 60 mode rxws; + +#### +# For stunnel: +${CMD} add subject uid 1018 object not uid 1018 mode rxws; +${CMD} add subject gid 1018 object not gid 1018 mode rxws; + +#### +# For the nobody account: +${CMD} add subject uid 65534 object not uid 65534 mode rxws; +${CMD} add subject gid 65534 object not gid 65534 mode rxws; + +#### +# NOTICE: The next script adds a rule to allow +# access their mailbox which is owned by GID `6'. +# Removing this will give mailbox lock issues. +for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' /etc/passwd`; + do ${CMD} add subject uid $x object gid 6 mode arwxs; +done; + +#### +# Work around majordomo problem where gid is `4'. +for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' /etc/passwd`; + do ${CMD} add subject uid $x object gid 4 mode arwxs; +done; + +#### +# Use some script to get a list of users and +# add all users to mode n for all other users. This +# will isolate all users from other user home directories while +# permitting them to use commands and browse the system. +for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' /etc/passwd`; + do ${CMD} add subject not uid $x object uid $x mode n; +done; + +### +# Do the same thing but only for group ids in place of +# user IDs. +for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $3 }' /etc/passwd`; + do ${CMD} add subject not gid $x object uid $x mode n; +done; diff --git a/etc/rc.d/Makefile b/etc/rc.d/Makefile index 61bc3e826cf9..2d6f59d81868 100755 --- a/etc/rc.d/Makefile +++ b/etc/rc.d/Makefile @@ -34,7 +34,7 @@ FILES= DAEMON LOGIN NETWORKING SERVERS \ serial sppp sshd swap1 \ syscons sysctl syslogd \ timed tmp \ - usbd \ + ugidfw usbd \ var vinum virecover \ watchdogd \ ypbind yppasswdd ypserv \ diff --git a/etc/rc.d/ugidfw b/etc/rc.d/ugidfw new file mode 100644 index 000000000000..7e033c8aed69 --- /dev/null +++ b/etc/rc.d/ugidfw @@ -0,0 +1,52 @@ +#!/bin/sh +# +# $FreeBSD$ + +# PROVIDE: ugidfw +# REQUIRE: +# BEFORE: LOGIN +# KEYWORD: FreeBSD nojail + +. /etc/rc.subr + +name="ugidfw" +rcvar="ugidfw_enable" +start_cmd="ugidfw_start" +start_precmd="ugidfw_precmd" +stop_cmd="ugidfw_stop" + +ugidfw_precmd() +{ + if ! sysctl security.mac.bsdextended + then kldload mac_bsdextended + if [ "$?" -ne "0" ] + then warn Unable to load the mac_bsdextended module. + return 1 + else + return 0 + fi + fi + return 0 +} + +ugidfw_start() +{ + # set the default policy script if none was specified + [ -z "${bsdextended_script}" ] && bsdextended_script=/etc/rc.bsdextended + + if [ -r "${bsdextended_script}" ]; then + . "${bsdextended_script}" + echo -n 'MAC bsdextended rules loaded sucessfully.' + fi + echo '.' +} + +ugidfw_stop() +{ + # Disable the policy + # + kldunload mac_bsdextended +} + +load_rc_config $name +run_rc_command "$1"