From nobody Wed Jun 05 07:07:26 2024 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VvJTl4HFgz5M9gy for ; Wed, 05 Jun 2024 07:08:43 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Received: from mailgate.Leidinger.net (bastille.leidinger.net [89.238.82.207]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (P-256) client-digest SHA256) (Client CN "mailgate.leidinger.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VvJTk6r55z43d5 for ; Wed, 5 Jun 2024 07:08:42 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Authentication-Results: mx1.freebsd.org; none List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@FreeBSD.org MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leidinger.net; s=outgoing-alex; t=1717571308; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=iuKxPSnRvNX1oqNnC/01Ks9ee09JPr1FoUX8Am1oyIY=; b=yyhAHzyljKP+DlvqCoX4Djh0UNZ/rv5gruKUWhgA42wprtf/I53TXUi58uAfw1PlDraZ+8 BELTL2C9NkiJjpRkOThV5jp5dsnD1XJDPFY3MwSkXuqRZnT7mC4WI0nNnDnQwASpboha3M UCVbhI+fY8xBksBVhm7dLI6QWS2bjoGsVMkpqovRAk0qjaJRZMU7Rq2eBNNqFAjdk0Hn7k 8mLln5YaIZKutQyzrEgair0AvccBK1bSYtJ3AbwAXReLgf6pku8d4jgTFeRkWqGfQg10ro o4HC9QzDtCbgJ0aI4yk9P/1Z0ONmmYL7hQH8ceuOaCBM9K7Z36BrwjUvDO2REw== Date: Wed, 05 Jun 2024 09:07:26 +0200 From: Alexander Leidinger To: Nicolas MASSE Cc: "freebsd-hackers@FreeBSD.org" Subject: Re: Generic module for managing access through the mac framework In-Reply-To: <3b62d55d66101bebd504a65f9b2706ab40edb712.camel@stormshield.eu> References: <3b62d55d66101bebd504a65f9b2706ab40edb712.camel@stormshield.eu> Message-ID: Organization: No organization, this is a private message. Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=_8943a02cfb2f99594f37a66a5ec51401"; micalg=pgp-sha256 X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:34240, ipnet:89.238.64.0/18, country:DE] X-Rspamd-Queue-Id: 4VvJTk6r55z43d5 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --=_8943a02cfb2f99594f37a66a5ec51401 Content-Type: multipart/alternative; boundary="=_966ae685291f49a44a6c924e22d5600e" --=_966ae685291f49a44a6c924e22d5600e Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed Am 2024-06-04 16:47, schrieb Nicolas MASSE: > Hello, > > At my company, we are working on a generic mac module. Its purpose is > to grant some users a set of privileges in order to run their services. > > For example, it can be configured in order to allow the ntp user to set > the system clock (PRIV_CLOCK_SETTIME), or allow a process to change its > user or groups (PRIV_CRED_SET[UID|GID|GROUPS), restricting them to some > allowed values. > > After reading the discussions around the mac_do module, I was wondering > if other people could be interested in such a more generic module. > > Even though it doesn't do the exact same thing, it still has a lot in > common with mac_do while extending its capabilities. > > So far, it is still a work in progress so we don't have code to share > yet. Though I think it'd be interesting to speak about the idea. > > I can explain further how we plan to do this if any of you is > interested. This sounds a bit like the Solaris RBAC/privileges. https://docs.oracle.com/cd/E23824_01/html/821-1456/prbac-1.html#scrolltoc IMO it would be worth to include, as it allows a more fine grained access to privileged stuff without the need to handout full root permissions to some applications. Bye, Alexander. -- http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_966ae685291f49a44a6c924e22d5600e Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=UTF-8

Am 2024-06-04 16:47, schrieb Nicolas MASSE:

Hello,
 
At my company, we are working on a generic mac module=
=2E Its purpose is to grant some users a set of privileges in order to run =
their services.
For example, it can be configured in order to allow t=
he ntp user to set the system clock (PRIV_CLOCK_SETTIME), or allow a proces=
s to change its user or groups (PRIV_CRED_SET[UID|GID|GROUPS), restricting =
them to some allowed values.
After reading the discussions around the mac_do modul=
e, I was wondering if other people could be interested in such a more gener=
ic module.
Even though it doesn't do the exact same thing, it st=
ill has a lot in common with mac_do while extending its capabilities.
 
So far, it is still a work in progress so we don't ha=
ve code to share yet. Though I think it'd be interesting to speak about the=
 idea.
I can explain further how we plan to do this if any o=
f you is interested.

This sounds a bit like the Solaris RBAC/privileges.

  https://docs.oracle.com/cd/E23824_01/html/821-1456/prb= ac-1.html#scrolltoc

IMO it would be worth to include, as it allows a more fine grained acces= s to privileged stuff without the need to handout full root permissions to = some applications.

Bye,
Alexander.

--
= http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF
http:/= /www.FreeBSD.org    n= etchild@FreeBSD.org  : PGP 0x8F31830F9F2772BF
--=_966ae685291f49a44a6c924e22d5600e-- --=_8943a02cfb2f99594f37a66a5ec51401 Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc; size=833 Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIyBAEBCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmZgDr0ACgkQEg2wmwP4 2IbD9w/4zCLzPwmKUwCS6rV+jda6quZx1k6vRIz8Bl1QQ+ej25HSka5NaGPgs01z Mg1+bVa/ODz9VFONfJSUw1cMx0FuqRC5V6nAcbkmWaHmKKXsrwsmmJHnwtZJ8Kwo Y3xyBLEhhtxkUes+VjxK6OtA3KiG+YDIwZZILLZdS8zPanwozp56lTneate7TBZi 4Oc9y7ACK4PNVTE+DN3br6bPBGo5J+/OvPzn9NPOx3Wgm0O0RcHrL8UxFyuQIl1e XWQtMAarR+FBfKQ/L7YIQiNtwUHmMn5OOt27eBRMnWd3cRCVoK+u1qdSDiN6clcu 8UNtjbbASN3pcsml6LMJSUEP2JR5cQu2kMei1Yru1xs+5scGD1Djq8rIzmCC+Qrb E5DFgiQBwLpBpCobLkJ6hAGPJRKBt6EKyCbVL96vwUjgWNuyAMZV5warq54WZtJE NesPlYXyCFFUnNwlsNuREpkU4ukHPMzDqC7YylCKqdIPHTtXg2SYjH54W88upimx rjXRqIEqYZNgIOqSctXTC47nUI6/QhHr3uCVtySbkRgcYTBMYTuItImQICsfBGe+ W8+7fclxtPolnTcMplJvX4m0BTkX22Oz99XEwdX4WOjD/SotZdCL5Z4OFMsPk+qg FwfXsRzO9Ri0GVvtCkjOrBZIDhd59b2sjujtrg8KTaKyO+WixA== =V8tI -----END PGP SIGNATURE----- --=_8943a02cfb2f99594f37a66a5ec51401--