search for: bsdextend

...t gid 80 mode rxws; ]]] Doesn't the above mean that an apache user (eg, user-supplied CGI process, PHP script, etc) has the ability to read (and write!) anything in the filesystem? Similarly: mailnull, majordomo, bin, etc, appear to get "elevated" privileges via this file and mac_bsdextended. [[[ #### # For cyrus: ${CMD} add subject uid 60 object not uid 60 mode rxws; ${CMD} add subject gid 60 object not gid 60 mode rxws; ]]] Cyrus is a "black box" mail server: the cyrus user normally winds up owning anything that the IMAP server needs to touch. [[[ # For the nobody acc...

...ower down or reboot and the disks are not marked clean, so fsck run on next boot. Is this an expected behaviour?? - - What is the easiest way to block root from reading /home once the system is in multiuser.... Thanks for any hints, tips, links to background info about biba + mls Mathias P.S.: bsdextended does not block root from anything, right?? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCIJBgSnKsATEFgwERAk+TAJ9tpmGVlY7W+OcIxj9q4vGqfTTkkgCfTWmK 0/myndlVB1DTfXAFHkxht5g= =vIgR -----END PGP SIGNATURE-----

Hey everyone, I'm hoping someone can point me in the right direction. I'm running a 6.1 box with mac_bsdextended compiled. I've created my ugidfw rules, and all seems well in the universe. I've got rules set up so the web process uid 80 and gid 80 can only read uid 1010 and gid 1010 owned files. When the web server tries to do something else, it throws an error such as: <authpriv.emerg> www...

Hello, I've been looking at the different MAC modules available and how they cold help to implement a less insecure than usual shared hosting web server. I've not been able to come up with a suitable configuration, looking at mac_bsdextended, mac_biba and mac_mls, but I think that a MAC module with the following policies could be very useful for such an environment. Have I missed anything? Has something similar been done? The module would (roughly) work as follows: Defining security levels in a similar way to mac_mls or mac_bib...