path: root/en_US.ISO8859-1/books/handbook/mac
diff options
authorTom Rhodes <trhodes@FreeBSD.org>2006-04-22 07:25:30 +0000
committerTom Rhodes <trhodes@FreeBSD.org>2006-04-22 07:25:30 +0000
commit9b2a54868c2775ee01a9f04474a84fd8b05e85ce (patch)
treec12973ad7303e4e18d3eddc61549810cf7f96c76 /en_US.ISO8859-1/books/handbook/mac
parentbb455d511710a208eb90e9ac6919ab544e47313d (diff)
Add another simple example to lock down user resources. Remove the
commented out sandbox entry, we already have something above.
Notes: svn path=/head/; revision=27616
Diffstat (limited to 'en_US.ISO8859-1/books/handbook/mac')
1 files changed, 46 insertions, 7 deletions
diff --git a/en_US.ISO8859-1/books/handbook/mac/chapter.sgml b/en_US.ISO8859-1/books/handbook/mac/chapter.sgml
index b79791b40d..97fe1fc223 100644
--- a/en_US.ISO8859-1/books/handbook/mac/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/mac/chapter.sgml
@@ -1916,16 +1916,55 @@ setpmac biba/10 /usr/local/etc/rc.d/nagios.sh forcestart</userinput></screen>
+ <sect1 id="mac-userlocked">
+ <title>User Lock Down</title>
+ <para>This example considers a relatively small, fewer than fifty
+ users, storage system. Users would have login capabilities, and
+ be permitted to not only store data but access resources as
+ well.</para>
+ <para>For this scenario, the &man.mac.bsdextended.4; mixed with
+ &man.mac.seeotheruids.4; could co-exist and block access not
+ only to system objects but to hide user processes as well.
+ <para>Begin by adding the following lines to
+ <filename>/boot/loader.conf</filename>:</para>
+ <programlisting>mac_seeotheruids_enabled="YES"</programlisting>
+ <para>The &man.mac.bsdextended.4; security policy module may be
+ activated through the use of the following rc.conf
+ variable:</para>
- <sect1 id="mac-examplesandbox">
- <title>An Example of a MAC Sandbox</title>
+ <programlisting>ugidfw_enable="YES"</programlisting>
- <para>An example of placing users in a sandbox using
- <acronym>MAC</acronym> should go here.</para>
+ <para>Default rules stored in
+ <filename>/etc/rc.bsdextended</filename> will be loaded at system
+ initialization; however, the default entries may need
+ modification. Since this machine is expected only to service
+ users, everything may be left commented out except the last
+ two. These will force the loading of user owned system objects
+ by default.</para>
+ <para>Add the required users to this machine and reboot. For
+ testing purposes, try logging in as a different user across two
+ consoles. Run the <command>ps aux</command> command to see if
+ processes of other users are visible. Try to run &man.ls.1; on
+ another users home directory, it should fail.</para>
+ <para>Do not try to test with the <username>root</username> user
+ unless the specific <command>sysctl</command>s have been modified
+ to block super user access.</para>
+ <note>
+ <para>When a new user is added, their &man.mac.bsdextended.4;
+ rule will not be in the ruleset list. To update the ruleset
+ quickly, simply unload the security policy module and reload
+ it again using the &man.kldunload.8; and &man.kldload.8;
+ utilities.</para>
+ </note>
<sect1 id="mac-troubleshoot">
<title>Troubleshooting the MAC Framework</title>