search for: mac_bsdextended

Hey everyone, I'm hoping someone can point me in the right direction. I'm running a 6.1 box with mac_bsdextended compiled. I've created my ugidfw rules, and all seems well in the universe. I've got rules set up so the web process uid 80 and gid 80 can only read uid 1010 and gid 1010 owned files. When the web server tries to do something else, it throws an error such as: <authpriv.emerg> www ke...

Hello, I've been looking at the different MAC modules available and how they cold help to implement a less insecure than usual shared hosting web server. I've not been able to come up with a suitable configuration, looking at mac_bsdextended, mac_biba and mac_mls, but I think that a MAC module with the following policies could be very useful for such an environment. Have I missed anything? Has something similar been done? The module would (roughly) work as follows: Defining security levels in a similar way to mac_mls or mac_biba,...

...and, worse, when none of the applications we are using are prepared to take advantage of it. So it should be as transparent as possible. I started the project with some goals: 1) Users are kept isolated. This isn't so obvious, as by design Apache should run as an unprivileged user. The mac_bsdextended policy can implement an additional layer of security. In my case, hosting users are given uids belonging to an interval, and there is a ugidfw rule that states that subjects with an uid withing that range can only access objects belonging to the same user in case their uid is within the i...

...ail 1 via lo0 Here, I allow 80 and 443 in case the users want to locally use some web APi. MySQL and smtp use are obvious. - Web users shouldn't be able to open any socket, but, they should still be able to connect to the outside This is where I do not have a solution. I think the use of mac_bsdextended would work here, but there are no clear way of doing this. Anyone has a good configuration in place ? ** Resources Security ** Solution: This is a straight forward one, configure login.conf and the virtual hosts with resources limits. This can be adjusted for specific user who may need mor...

I would like to know that there is or is not a way to prevent users from executing binaries that are not owned by root or that the user is in a particular group. Is this something I can achieve with TrustedBSD's MAC framework?

...t not gid 80 mode rxws; ]]] Doesn't the above mean that an apache user (eg, user-supplied CGI process, PHP script, etc) has the ability to read (and write!) anything in the filesystem? Similarly: mailnull, majordomo, bin, etc, appear to get "elevated" privileges via this file and mac_bsdextended. [[[ #### # For cyrus: ${CMD} add subject uid 60 object not uid 60 mode rxws; ${CMD} add subject gid 60 object not gid 60 mode rxws; ]]] Cyrus is a "black box" mail server: the cyrus user normally winds up owning anything that the IMAP server needs to touch. [[[ # For the nobody accou...

Hi, is there any chance (if yes, how to do this?) to use the xf86 driver which "provides access to the memory and I/O ports of a VGA board and to the PCI configuration registers for use by the X servers when running with a kernel security level greater than 0" in FreeBSD*? Then it will be possible to start X environment with a kernel secure level > 0, right? Normally it is impossible

...ACCEPT_FILTER_DATA #options ACCEPT_FILTER_HTTP options TCP_DROP_SYNFIN options DUMMYNET #options BRIDGE options QUOTA options _KPOSIX_PRIORITY_SCHEDULING options P1003_1B_SEMAPHORES #options MAC #options MAC_BIBA #options MAC_BSDEXTENDED #options MAC_DEBUG #options MAC_IFOFF #options MAC_LOMAC #options MAC_MLS #options MAC_NONE #options MAC_PARTITION #options MAC_SEEOTHERUIDS #options MAC_TEST options KBD_INSTALL_CDEV # install a CDEV entry in /dev device isa #options...