89ddbd45e5
subject: ranges of uid, ranges of gid, jail id objects: ranges of uid, ranges of gid, filesystem, object is suid, object is sgid, object matches subject uid/gid object type We can also negate individual conditions. The ruleset language is a superset of the previous language, so old rules should continue to work. These changes require a change to the API between libugidfw and the mac_bsdextended module. Add a version number, so we can tell if we're running mismatched versions. Update man pages to reflect changes, add extra test cases to test_ugidfw.c and add a shell script that checks that the the module seems to do what we expect. Suggestions from: rwatson, trhodes Reviewed by: trhodes MFC after: 2 months
362 lines
7.0 KiB
Groff
362 lines
7.0 KiB
Groff
.\" Copyright (c) 2002, 2004 Networks Associates Technology, Inc.
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" This software was developed for the FreeBSD Project by Chris
|
|
.\" Costello at Safeport Network Services and NAI Labs, the Security
|
|
.\" Research Division of Network Associates, Inc. under DARPA/SPAWAR
|
|
.\" contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA CHATS
|
|
.\" research program.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" $FreeBSD$
|
|
.\"
|
|
.Dd February 24, 2004
|
|
.Dt UGIDFW 8
|
|
.Os
|
|
.Sh NAME
|
|
.Nm ugidfw
|
|
.Nd "firewall-like access controls for file system objects"
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Cm add
|
|
.Cm subject
|
|
.Op Cm not
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm uid Ar uid | minuid:maxuid
|
|
.Oc
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm gid Ar gid | mingid:maxgid
|
|
.Oc
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm jailid Ad jailid
|
|
.Oc
|
|
.Cm object
|
|
.Op Cm not
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm uid Ar uid | minuid:maxuid
|
|
.Oc
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm gid Ar gid | mingid:maxgid
|
|
.Oc
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm filesys Ad path
|
|
.Oc
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm suid
|
|
.Oc
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm sgid
|
|
.Oc
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm uid_of_subject
|
|
.Oc
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm gid_of_subject
|
|
.Oc
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm type Ar ardbclsp
|
|
.Oc
|
|
.Cm mode
|
|
.Ar arswxn
|
|
.Nm
|
|
.Cm list
|
|
.Nm
|
|
.Cm set
|
|
.Ar rulenum
|
|
.Cm subject
|
|
.Op Cm not
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm uid Ar uid | minuid:maxuid
|
|
.Oc
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm gid Ar gid | mingid:maxgid
|
|
.Oc
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm jailid Ad jailid
|
|
.Oc
|
|
.Cm object
|
|
.Op Cm not
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm uid Ar uid | minuid:maxuid
|
|
.Oc
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm gid Ar gid | mingid:maxgid
|
|
.Oc
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm filesys Ad path
|
|
.Oc
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm suid
|
|
.Oc
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm sgid
|
|
.Oc
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm uid_of_subject
|
|
.Oc
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm gid_of_subject
|
|
.Oc
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm type Ar ardbclsp
|
|
.Oc
|
|
.Cm mode
|
|
.Ar arswxn
|
|
.Nm
|
|
.Cm remove
|
|
.Ar rulenum
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm
|
|
utility provides an
|
|
.Xr ipfw 8 Ns -like
|
|
interface to manage access to file system objects by UID and GID,
|
|
supported by the
|
|
.Xr mac_bsdextended 4
|
|
.Xr mac 9
|
|
policy.
|
|
.Pp
|
|
The arguments are as follows:
|
|
.Bl -tag -width indent -offset indent
|
|
.It Xo
|
|
.Cm add
|
|
.Cm subject
|
|
.Ar ...
|
|
.Cm object
|
|
.Ar ...
|
|
.Cm mode
|
|
.Ar arswxn
|
|
.Xc
|
|
Add a new rule, automatically selecting the rule number.
|
|
See the description of
|
|
.Cm set
|
|
for syntax information.
|
|
.It Cm list
|
|
Produces a list of all the current
|
|
.Nm
|
|
rules in the system.
|
|
.It Xo
|
|
.Cm set Ar rulenum
|
|
.Cm subject
|
|
.Ar ...
|
|
.Cm object
|
|
.Ar ...
|
|
.Cm mode
|
|
.Ar arswxn
|
|
.Xc
|
|
Add a new rule or modify an existing rule.
|
|
The arguments are as follows:
|
|
.Bl -tag -width ".Ar rulenum"
|
|
.It Ar rulenum
|
|
Rule number.
|
|
Entries with a lower rule number
|
|
are applied first;
|
|
placing the most frequently-matched rules at the beginning of the list
|
|
(i.e., lower-numbered)
|
|
will yield a slight performance increase.
|
|
.It Xo
|
|
.Cm subject
|
|
.Op Cm not
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm uid Ar uid | minuid:maxuid
|
|
.Oc
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm gid Ar gid | mingid:maxgid
|
|
.Oc
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm jailid Ad jailid
|
|
.Oc
|
|
.Xc
|
|
Subjects performing an operation must match all the conditions given.
|
|
A leading
|
|
.Cm not
|
|
means that the subject should not match the remainder of the specification.
|
|
A condition may be prefixed by
|
|
.Cm \&!
|
|
to indicate that particular condition must not match the subject.
|
|
The subject can be required to have a particular
|
|
.Ar uid
|
|
and/or
|
|
.Ar gid .
|
|
A range of uids/gids can be specified,
|
|
seperated by a colon.
|
|
The subject can be required to be in a particular jail with the
|
|
.Ar jailid .
|
|
.It Xo
|
|
.Cm object
|
|
.Op Cm not
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm uid Ar uid | minuid:maxuid
|
|
.Oc
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm gid Ar gid | mingid:maxgid
|
|
.Oc
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm filesys Ad path
|
|
.Oc
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm suid
|
|
.Oc
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm sgid
|
|
.Oc
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm uid_of_subject
|
|
.Oc
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm gid_of_subject
|
|
.Oc
|
|
.Oo
|
|
.Op Cm \&!
|
|
.Cm type Ar ardbclsp
|
|
.Oc
|
|
.Xc
|
|
The rule will apply only to objects matching all the specified conditions.
|
|
A leading
|
|
.Cm not
|
|
means that the object should not match all the remaining conditions.
|
|
A condition may be prefixed by
|
|
.Cm \&!
|
|
to indicate that particular condition must not match the object.
|
|
Objects can be required to be owned by the user and/or group specified by
|
|
.Ar uid
|
|
and/or
|
|
.Ar gid .
|
|
A range of uids/gids can be specified, seperated by a colon.
|
|
The object can be required to be in a particular filesystem by
|
|
specifing the filesystem using
|
|
.Cm filesys .
|
|
Note,
|
|
if the filesystem is unmounted and remounted,
|
|
then the rule may need to be reapplied to ensure the correct filesystem
|
|
id is used.
|
|
The object can be required to have the
|
|
.Cm suid
|
|
or
|
|
.Cm sgid
|
|
bits set.
|
|
The owner of the object can be required to match the
|
|
.Cm uid_of_subject
|
|
or the
|
|
.Cm gid_of_subject
|
|
attempting the operation.
|
|
The type of the object can be restricted to a subset of
|
|
the following types.
|
|
.Pp
|
|
.Bl -tag -width ".Cm w" -compact -offset indent
|
|
.It Cm a
|
|
any file type
|
|
.It Cm r
|
|
a regular file
|
|
.It Cm d
|
|
a directory
|
|
.It Cm b
|
|
a block special device
|
|
.It Cm c
|
|
a character special device
|
|
.It Cm l
|
|
a symbolic link
|
|
.It Cm s
|
|
a unix domain socket
|
|
.It Cm p
|
|
a named pipe (FIFO)
|
|
.El
|
|
.It Cm mode Ar arswxn
|
|
Similar to
|
|
.Xr chmod 1 ,
|
|
each character represents an access mode.
|
|
If the rule applies,
|
|
the specified access permissions are enforced
|
|
for the object.
|
|
When a character is specified in the rule,
|
|
the rule will allow for the operation.
|
|
Conversely, not including it will cause the operation
|
|
to be denied.
|
|
The definitions of each character are as follows:
|
|
.Pp
|
|
.Bl -tag -width ".Cm w" -compact -offset indent
|
|
.It Cm a
|
|
administrative operations
|
|
.It Cm r
|
|
read access
|
|
.It Cm s
|
|
access to file attributes
|
|
.It Cm w
|
|
write access
|
|
.It Cm x
|
|
execute access
|
|
.It Cm n
|
|
none
|
|
.El
|
|
.El
|
|
.It Cm remove Ar rulenum
|
|
Disable and remove the rule with the specified rule number.
|
|
.El
|
|
.Sh SEE ALSO
|
|
.Xr mac_bsdextended 4 ,
|
|
.Xr mac 9
|
|
.Sh HISTORY
|
|
The
|
|
.Nm
|
|
utility first appeared in
|
|
.Fx 5.0 .
|
|
.Sh AUTHORS
|
|
This software was contributed to the
|
|
.Fx
|
|
Project by NAI Labs, the Security Research Division of Network Associates
|
|
Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035
|
|
.Pq Dq CBOSS ,
|
|
as part of the DARPA CHATS research program.
|