Add another simple example to lock down user resources. Remove the

commented out sandbox entry, we already have something above.

1 files changed, 46 insertions, 7 deletions

diff --git a/en_US.ISO8859-1/books/handbook/mac/chapter.sgml b/en_US.ISO8859-1/books/handbook/mac/chapter.sgml
index b79791b40d..97fe1fc223 100644
--- a/en_US.ISO8859-1/books/handbook/mac/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/mac/chapter.sgml
@@ -1916,16 +1916,55 @@ setpmac biba/10 /usr/local/etc/rc.d/nagios.sh forcestart</userinput></screen>
     </sect2>
   </sect1>
 
-<!--
-XXX
+  <sect1 id="mac-userlocked">
+    <title>User Lock Down</title>
+
+    <para>This example considers a relatively small, fewer than fifty
+      users, storage system.  Users would have login capabilities, and
+      be permitted to not only store data but access resources as
+      well.</para>
+
+    <para>For this scenario, the &man.mac.bsdextended.4; mixed with
+      &man.mac.seeotheruids.4; could co-exist and block access not
+      only to system objects but to hide user processes as well.
+
+    <para>Begin by adding the following lines to
+      <filename>/boot/loader.conf</filename>:</para>
+
+    <programlisting>mac_seeotheruids_enabled="YES"</programlisting>
+
+    <para>The &man.mac.bsdextended.4; security policy module may be
+      activated through the use of the following rc.conf
+      variable:</para>
 
-  <sect1 id="mac-examplesandbox">
-    <title>An Example of a MAC Sandbox</title>
+    <programlisting>ugidfw_enable="YES"</programlisting>
 
-    <para>An example of placing users in a sandbox using
-      <acronym>MAC</acronym> should go here.</para>
+    <para>Default rules stored in
+      <filename>/etc/rc.bsdextended</filename> will be loaded at system
+      initialization; however, the default entries may need
+      modification.  Since this machine is expected only to service
+      users, everything may be left commented out except the last
+      two.  These will force the loading of user owned system objects
+      by default.</para>
+
+    <para>Add the required users to this machine and reboot.  For
+      testing purposes, try logging in as a different user across two
+      consoles.  Run the <command>ps aux</command> command to see if
+      processes of other users are visible.  Try to run &man.ls.1; on
+      another users home directory, it should fail.</para>
+
+    <para>Do not try to test with the <username>root</username> user
+      unless the specific <command>sysctl</command>s have been modified
+      to block super user access.</para>
+
+    <note>
+      <para>When a new user is added, their &man.mac.bsdextended.4;
+	rule will not be in the ruleset list.  To update the ruleset
+	quickly, simply unload the security policy module and reload
+	it again using the &man.kldunload.8; and &man.kldload.8;
+	utilities.</para>
+    </note>
   </sect1>
--->
 
   <sect1 id="mac-troubleshoot">
     <title>Troubleshooting the MAC Framework</title>