2002-12-10 00:39:17 +00:00
|
|
|
.\" Copyright (c) 2002 Networks Associates Technology, Inc.
|
|
|
|
.\" All rights reserved.
|
2003-05-21 15:55:40 +00:00
|
|
|
.\"
|
2003-01-08 11:06:22 +00:00
|
|
|
.\" This software was developed for the FreeBSD Project by Chris Costello
|
|
|
|
.\" at Safeport Network Services and Network Associates Laboratories, the
|
|
|
|
.\" Security Research Division of Network Associates, Inc. under
|
2002-12-10 00:39:17 +00:00
|
|
|
.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
|
|
|
|
.\" DARPA CHATS research program.
|
2003-05-21 15:55:40 +00:00
|
|
|
.\"
|
2002-12-10 00:39:17 +00:00
|
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
|
|
.\" modification, are permitted provided that the following conditions
|
|
|
|
.\" are met:
|
|
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
|
|
.\" documentation and/or other materials provided with the distribution.
|
2003-05-21 15:55:40 +00:00
|
|
|
.\"
|
2002-12-10 00:39:17 +00:00
|
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
|
|
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
.\" SUCH DAMAGE.
|
2003-05-21 15:55:40 +00:00
|
|
|
.\"
|
2002-12-10 00:39:17 +00:00
|
|
|
.\" $FreeBSD$
|
2003-06-01 21:52:59 +00:00
|
|
|
.\"
|
2005-11-18 10:56:28 +00:00
|
|
|
.Dd October 6, 2005
|
2002-12-10 00:39:17 +00:00
|
|
|
.Os
|
|
|
|
.Dt MAC_SEEOTHERUIDS 4
|
|
|
|
.Sh NAME
|
|
|
|
.Nm mac_seeotheruids
|
2003-06-01 21:52:59 +00:00
|
|
|
.Nd "simple policy controlling whether users see other users"
|
2002-12-10 00:39:17 +00:00
|
|
|
.Sh SYNOPSIS
|
2003-06-01 21:52:59 +00:00
|
|
|
To compile the
|
2002-12-10 00:39:17 +00:00
|
|
|
policy into your kernel, place the following lines in your kernel
|
|
|
|
configuration file:
|
2003-06-01 21:52:59 +00:00
|
|
|
.Bd -ragged -offset indent
|
2002-12-10 00:39:17 +00:00
|
|
|
.Cd "options MAC"
|
|
|
|
.Cd "options MAC_SEEOTHERUIDS"
|
2003-06-01 21:52:59 +00:00
|
|
|
.Ed
|
2002-12-10 00:39:17 +00:00
|
|
|
.Pp
|
|
|
|
Alternately, to load the module at boot time, place the following line
|
|
|
|
in your kernel configuration file:
|
2003-06-01 21:52:59 +00:00
|
|
|
.Bd -ragged -offset indent
|
2002-12-10 00:39:17 +00:00
|
|
|
.Cd "options MAC"
|
2003-06-01 21:52:59 +00:00
|
|
|
.Ed
|
2002-12-10 00:39:17 +00:00
|
|
|
.Pp
|
|
|
|
and in
|
2003-06-08 13:27:57 +00:00
|
|
|
.Xr loader.conf 5 :
|
2003-06-01 21:52:59 +00:00
|
|
|
.Bd -literal -offset indent
|
|
|
|
mac_seeotheruids_load="YES"
|
|
|
|
.Ed
|
2002-12-10 00:39:17 +00:00
|
|
|
.Sh DESCRIPTION
|
|
|
|
The
|
|
|
|
.Nm
|
|
|
|
policy module, when enabled, denies users to see processes or sockets owned
|
|
|
|
by other users.
|
|
|
|
.Pp
|
|
|
|
To enable
|
|
|
|
.Nm ,
|
|
|
|
set the sysctl OID
|
|
|
|
.Va security.mac.seeotheruids.enabled
|
2003-06-01 21:52:59 +00:00
|
|
|
to 1.
|
2005-10-07 02:29:50 +00:00
|
|
|
To permit superuser awareness of other credentials by virtue of privilege,
|
|
|
|
set the sysctl OID
|
|
|
|
.Va security.mac.seeotheruids.suser_privileged
|
|
|
|
to 1.
|
2002-12-10 00:39:17 +00:00
|
|
|
.Pp
|
|
|
|
To allow users to see processes and sockets owned by the same primary group,
|
|
|
|
set the sysctl OID
|
|
|
|
.Va security.mac.seeotheruids.primarygroup_enabled
|
2003-06-01 21:52:59 +00:00
|
|
|
to 1.
|
2002-12-10 00:39:17 +00:00
|
|
|
.Pp
|
|
|
|
To allow processes with a specific group ID to be exempt from the policy,
|
|
|
|
set the sysctl OID
|
|
|
|
.Va security.mac.seeotheruids.specificgid_enabled
|
2003-06-01 21:52:59 +00:00
|
|
|
to 1, and
|
2002-12-10 00:39:17 +00:00
|
|
|
.Va security.mac.seeotheruids.specificgid
|
2003-06-01 21:52:59 +00:00
|
|
|
to the group ID to be exempted.
|
2002-12-10 00:39:17 +00:00
|
|
|
.Ss Label Format
|
|
|
|
No labels are defined for
|
|
|
|
.Nm .
|
|
|
|
.Sh SEE ALSO
|
2003-01-15 02:59:36 +00:00
|
|
|
.Xr mac 4 ,
|
2002-12-10 00:39:17 +00:00
|
|
|
.Xr mac_biba 4 ,
|
|
|
|
.Xr mac_bsdextended 4 ,
|
2002-12-11 01:02:26 +00:00
|
|
|
.Xr mac_ifoff 4 ,
|
2003-01-08 10:47:18 +00:00
|
|
|
.Xr mac_lomac 4 ,
|
2002-12-10 00:39:17 +00:00
|
|
|
.Xr mac_mls 4 ,
|
2003-06-01 21:52:59 +00:00
|
|
|
.Xr mac_none 4 ,
|
2002-12-11 01:02:26 +00:00
|
|
|
.Xr mac_partition 4 ,
|
2003-03-31 08:08:59 +00:00
|
|
|
.Xr mac_portacl 4 ,
|
2002-12-10 00:39:17 +00:00
|
|
|
.Xr mac_test 4 ,
|
|
|
|
.Xr mac 9
|
|
|
|
.Sh HISTORY
|
|
|
|
The
|
|
|
|
.Nm
|
|
|
|
policy module first appeared in
|
|
|
|
.Fx 5.0
|
2003-06-01 21:52:59 +00:00
|
|
|
and was developed by the
|
|
|
|
.Tn TrustedBSD
|
|
|
|
Project.
|
2002-12-10 00:39:17 +00:00
|
|
|
.Sh AUTHORS
|
|
|
|
This software was contributed to the
|
|
|
|
.Fx
|
|
|
|
Project by Network Associates Labs,
|
|
|
|
the Security Research Division of Network Associates
|
2004-07-03 18:29:24 +00:00
|
|
|
Inc.
|
|
|
|
under DARPA/SPAWAR contract N66001-01-C-8035
|
2003-06-01 21:52:59 +00:00
|
|
|
.Pq Dq CBOSS ,
|
2002-12-10 00:39:17 +00:00
|
|
|
as part of the DARPA CHATS research program.
|
|
|
|
.Sh BUGS
|
|
|
|
See
|
|
|
|
.Xr mac 9
|
|
|
|
concerning appropriateness for production use.
|
2003-06-01 21:52:59 +00:00
|
|
|
The
|
|
|
|
.Tn TrustedBSD
|
|
|
|
MAC Framework is considered experimental in
|
2002-12-10 00:39:17 +00:00
|
|
|
.Fx .
|
|
|
|
.Pp
|
|
|
|
While the MAC Framework design is intended to support the containment of
|
|
|
|
the root user, not all attack channels are currently protected by entry
|
|
|
|
point checks.
|
|
|
|
As such, MAC Framework policies should not be relied on, in isolation,
|
|
|
|
to protect against a malicious privileged user.
|