Displaying 8 results from an estimated 8 matches for "mac_bsdextended".
2006 Jun 01
1
mac_bsdextended log information
Hey everyone,
I'm hoping someone can point me in the right direction. I'm running a 6.1 box with mac_bsdextended compiled. I've created my ugidfw rules, and all seems well in the universe.
I've got rules set up so the web process uid 80 and gid 80 can only read uid 1010 and gid 1010 owned files. When the web server tries to do something else, it throws an error such as:
<authpriv.emerg> www ke...
2006 May 03
1
MAC policies and shared hosting
Hello,
I've been looking at the different MAC modules available and how they
cold help to implement a less insecure than usual shared hosting web
server.
I've not been able to come up with a suitable configuration, looking
at mac_bsdextended, mac_biba and mac_mls, but I think that a MAC
module with the following policies could be very useful for such an
environment. Have I missed anything? Has something similar been done?
The module would (roughly) work as follows:
Defining security levels in a similar way to mac_mls or mac_biba,...
2006 Oct 10
1
Proposal: MAC_BIBA and real-world usage
...and, worse, when none of the
applications we are using are prepared to take advantage of it. So it
should be as transparent as possible.
I started the project with some goals:
1) Users are kept isolated. This isn't so obvious, as by design
Apache should run as an unprivileged user. The mac_bsdextended policy
can implement an additional layer of security. In my case, hosting
users are given uids belonging to an interval, and there is a ugidfw
rule that states that subjects with an uid withing that range can
only access objects belonging to the same user in case their uid is
within the i...
2007 Feb 18
1
Secure shared web hosting using MAC Framework
...ail 1 via lo0
Here, I allow 80 and 443 in case the users want to locally use some web APi. MySQL and smtp use are obvious.
- Web users shouldn't be able to open any socket, but, they should still be able to connect to the outside
This is where I do not have a solution.
I think the use of mac_bsdextended would work here, but there are no clear way of doing this.
Anyone has a good configuration in place ?
** Resources Security **
Solution:
This is a straight forward one, configure login.conf and the virtual hosts with resources limits.
This can be adjusted for specific user who may need mor...
2009 Mar 01
2
Trusted Path Execution
I would like to know that there is or is not a way to prevent users from
executing binaries that are not owned by root or that the user is in a
particular group. Is this something I can achieve with TrustedBSD's MAC
framework?
2005 Apr 11
1
/etc/rc.bsdextended: am I misunderstanding this..?
...t not gid 80 mode rxws;
]]]
Doesn't the above mean that an apache user (eg, user-supplied CGI
process, PHP script, etc) has the ability to read (and write!) anything
in the filesystem?
Similarly: mailnull, majordomo, bin, etc, appear to get "elevated"
privileges via this file and mac_bsdextended.
[[[
####
# For cyrus:
${CMD} add subject uid 60 object not uid 60 mode rxws;
${CMD} add subject gid 60 object not gid 60 mode rxws;
]]]
Cyrus is a "black box" mail server: the cyrus user normally winds up
owning anything that the IMAP server needs to touch.
[[[
# For the nobody accou...
2011 Nov 16
1
Starting X11 with kernel secure level greater than -1/0.
Hi, is there any chance (if yes, how to do this?) to use the xf86
driver which "provides access to the memory and I/O ports of a
VGA board and to the PCI configuration registers for use by
the X servers when running with a kernel security level greater
than 0" in FreeBSD*?
Then it will be possible to start X environment with a kernel
secure level > 0, right? Normally it is impossible
2003 Aug 13
6
5.1-R-p2 crashes on SMP with AMI RAID and Intel 1000/Pro
...ACCEPT_FILTER_DATA
#options ACCEPT_FILTER_HTTP
options TCP_DROP_SYNFIN
options DUMMYNET
#options BRIDGE
options QUOTA
options _KPOSIX_PRIORITY_SCHEDULING
options P1003_1B_SEMAPHORES
#options MAC
#options MAC_BIBA
#options MAC_BSDEXTENDED
#options MAC_DEBUG
#options MAC_IFOFF
#options MAC_LOMAC
#options MAC_MLS
#options MAC_NONE
#options MAC_PARTITION
#options MAC_SEEOTHERUIDS
#options MAC_TEST
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
device isa
#options...