diff options
author | Tom Rhodes <trhodes@FreeBSD.org> | 2006-04-22 07:25:30 +0000 |
---|---|---|
committer | Tom Rhodes <trhodes@FreeBSD.org> | 2006-04-22 07:25:30 +0000 |
commit | 9b2a54868c2775ee01a9f04474a84fd8b05e85ce (patch) | |
tree | c12973ad7303e4e18d3eddc61549810cf7f96c76 /en_US.ISO8859-1/books/handbook/mac | |
parent | bb455d511710a208eb90e9ac6919ab544e47313d (diff) | |
download | doc-9b2a54868c2775ee01a9f04474a84fd8b05e85ce.tar.gz doc-9b2a54868c2775ee01a9f04474a84fd8b05e85ce.zip |
Add another simple example to lock down user resources. Remove the
commented out sandbox entry, we already have something above.
Notes
Notes:
svn path=/head/; revision=27616
Diffstat (limited to 'en_US.ISO8859-1/books/handbook/mac')
-rw-r--r-- | en_US.ISO8859-1/books/handbook/mac/chapter.sgml | 53 |
1 files changed, 46 insertions, 7 deletions
diff --git a/en_US.ISO8859-1/books/handbook/mac/chapter.sgml b/en_US.ISO8859-1/books/handbook/mac/chapter.sgml index b79791b40d..97fe1fc223 100644 --- a/en_US.ISO8859-1/books/handbook/mac/chapter.sgml +++ b/en_US.ISO8859-1/books/handbook/mac/chapter.sgml @@ -1916,16 +1916,55 @@ setpmac biba/10 /usr/local/etc/rc.d/nagios.sh forcestart</userinput></screen> </sect2> </sect1> -<!-- -XXX + <sect1 id="mac-userlocked"> + <title>User Lock Down</title> + + <para>This example considers a relatively small, fewer than fifty + users, storage system. Users would have login capabilities, and + be permitted to not only store data but access resources as + well.</para> + + <para>For this scenario, the &man.mac.bsdextended.4; mixed with + &man.mac.seeotheruids.4; could co-exist and block access not + only to system objects but to hide user processes as well. + + <para>Begin by adding the following lines to + <filename>/boot/loader.conf</filename>:</para> + + <programlisting>mac_seeotheruids_enabled="YES"</programlisting> + + <para>The &man.mac.bsdextended.4; security policy module may be + activated through the use of the following rc.conf + variable:</para> - <sect1 id="mac-examplesandbox"> - <title>An Example of a MAC Sandbox</title> + <programlisting>ugidfw_enable="YES"</programlisting> - <para>An example of placing users in a sandbox using - <acronym>MAC</acronym> should go here.</para> + <para>Default rules stored in + <filename>/etc/rc.bsdextended</filename> will be loaded at system + initialization; however, the default entries may need + modification. Since this machine is expected only to service + users, everything may be left commented out except the last + two. These will force the loading of user owned system objects + by default.</para> + + <para>Add the required users to this machine and reboot. For + testing purposes, try logging in as a different user across two + consoles. Run the <command>ps aux</command> command to see if + processes of other users are visible. Try to run &man.ls.1; on + another users home directory, it should fail.</para> + + <para>Do not try to test with the <username>root</username> user + unless the specific <command>sysctl</command>s have been modified + to block super user access.</para> + + <note> + <para>When a new user is added, their &man.mac.bsdextended.4; + rule will not be in the ruleset list. To update the ruleset + quickly, simply unload the security policy module and reload + it again using the &man.kldunload.8; and &man.kldload.8; + utilities.</para> + </note> </sect1> ---> <sect1 id="mac-troubleshoot"> <title>Troubleshooting the MAC Framework</title> |