mac_suidacl policy has been committed

Samy Al Bahra samy at kerneled.org
Tue Jun 28 12:54:27 GMT 2005


I wanted to note that the mac_suidacl policy has just been committed
into the P4 MAC repository. This policy takes advantage of the recently
committed setxid() entry points and check_vnode_exec to control access
to credential-changing elements of a system (setxid() calls and
suid/sgid executables) at uid/gid level.

Example:
jee# sysctl security.mac.suidacl.rules="uid:1002:execve"
security.mac.suidacl.rules:  -> uid:1002:execve
jee# su samy
samy$ id
uid=1002(samy) gid=1002(samy) groups=1002(samy)
samy$ ping
su: /sbin/ping: Operation not permitted

Please see the committed manual page for more information.
-- 
Samy Al Bahra <samy at kerneled.org>
Kerneled.org

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message



More information about the trustedbsd-discuss mailing list