search for: ugidfw

Hey everyone, I'm hoping someone can point me in the right direction. I'm running a 6.1 box with mac_bsdextended compiled. I've created my ugidfw rules, and all seems well in the universe. I've got rules set up so the web process uid 80 and gid 80 can only read uid 1010 and gid 1010 owned files. When the web server tries to do something else, it throws an error such as: <authpriv.emerg> www kernel: mac_bsdextended: 80:80 request...

Hello all, I am attempting to install and test the MAC framework. I will start with ugidfw(8) to NOT allow a group of users to access a certain filesystem object. However, I cannot get it to work, and I wish that if anybody reading this would send me a snippet of their ugidfw rules, and associated mac.conf settings. I've read all the docs I can find, and googled to no avail. I ho...

Hello, I've been looking at the different MAC modules available and how they cold help to implement a less insecure than usual shared hosting web server. I've not been able to come up with a suitable configuration, looking at mac_bsdextended, mac_biba and mac_mls, but I think that a MAC module with the following policies could be very useful for such an environment. Have I

...project with some goals: 1) Users are kept isolated. This isn't so obvious, as by design Apache should run as an unprivileged user. The mac_bsdextended policy can implement an additional layer of security. In my case, hosting users are given uids belonging to an interval, and there is a ugidfw rule that states that subjects with an uid withing that range can only access objects belonging to the same user in case their uid is within the interval as well. I didn't use MAC compartments because there is a limit on the number of compartments. Users are allowed to run CGIs and PHP...

I would like to know that there is or is not a way to prevent users from executing binaries that are not owned by root or that the user is in a particular group. Is this something I can achieve with TrustedBSD's MAC framework?

Can someone clear something up for me? [[[ # For apache to read user files, the ruleadd must give # it permissions by default. #### ${CMD} add subject uid 80 object not uid 80 mode rxws; ${CMD} add subject gid 80 object not gid 80 mode rxws; ]]] Doesn't the above mean that an apache user (eg, user-supplied CGI process, PHP script, etc) has the ability to read (and write!) anything in the

Hi, is there any chance (if yes, how to do this?) to use the xf86 driver which "provides access to the memory and I/O ports of a VGA board and to the PCI configuration registers for use by the X servers when running with a kernel security level greater than 0" in FreeBSD*? Then it will be possible to start X environment with a kernel secure level > 0, right? Normally it is impossible

...n: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org ReportedBy: alex at rtfs.hu If on the server side sshd was not able to allocate a PTY (in my case a wrongly configured FreeBSD's ugidfw rule wont allow opening those files) both sshd and the client ssh will stall. Client ssh log: debug1: Requesting no-more-sessions at openssh.com debug1: Entering interactive session. debug2: callback start debug2: client_session2_setup: id 0 debug2: channel 0: request pty-req confirm 1 debug2: ch...