similar to: Proposal: MAC_BIBA and real-world usage

Hello, I've been looking at the different MAC modules available and how they cold help to implement a less insecure than usual shared hosting web server. I've not been able to come up with a suitable configuration, looking at mac_bsdextended, mac_biba and mac_mls, but I think that a MAC module with the following policies could be very useful for such an environment. Have I

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I just try to understand the concepts and possiblities behind the mac framework. After days of puzzling I found one puzzling behaviour and still have one immediate question (this is on 5-stable) - - when I enable mac_biba, set root to biba/equal (or any value, actually), and do a setfmac -R biba/equal / I expect biba to be activated without any

FreeBSD 5.1-RELEASE Hi, I'm examining Biba and MLS MAC policies and something is not clear for me. Unless I'm doing something wrong, it seems policies are enforced only for reading, but not writing. 1) Biba I've created test file with biba/127 label: $ echo "Message" > file_biba_127.txt $ setfmac biba/127 file_biba_127.txt $ getfmac file_biba_127.txt

FreeBSD version: 5.1-RELEASE Hi, I'm quite new to FreeBSD. I've check list archives and read a handbook, but I didn't find solution to my problem and I hope this is not off-topic. I've installed 5.1-RELEASE, enabled ACLs on the filesystems and I wanted to test MAC features. I'm also new to MAC, so perhaps this is some my mistake. When I enable mac_biba or mac_lomac (in

(crossposted to freebsd-security just in case someone has to slap me) :) Hello, I'm doing some work with the MAC subsystem in FreeBSD, and I have spotted some errors in the MAC documentation in the handbook. 1- Section 15.14.4. Error in the example dropping users "nagios" and "www" into the insecure class. The example uses the command "pw usermod nagios -L

All, I've decided to publish something I threw together. I recently installed NUT and found it to be a hassle to switch between the CGIs for web access. I created some HTML to provide an easy way to go between the CGIs easily and quickly. It uses the exact same color scheme that the default CGIs use. I would very much appreciate any input. I am open to having this included with the main

All, I've decided to publish something I threw together. I recently installed NUT and found it to be a hassle to switch between the CGIs for web access. I created some HTML to provide an easy way to go between the CGIs easily and quickly. It uses the exact same color scheme that the default CGIs use. I would very much appreciate any input. I am open to having this included with the main

I seem to have NUT all working with my R3000XR, except for the CGIs. The webserver's all properly configured and upsstats.cgi *runs*, but doesn't yield any useful output - no values are displayed, every value is replaced by [error: Invalid argument]. Apache is not logging any resulting errors, and there doesn't seem to be a lot of useful documentation on the CGIs to troubleshoot

Dear Community, Xiph.org has a serious need for some webmasterly help, and currently no one actively involved has the time to fill such a role. We are hereby asking if there are any volunteers in the community who would like to help out in this capacity, possibly as part of a webmaster team (depending on response). This job pays in karma only, unfortunately. This is a good opportunity to help

Dear Community, Xiph.org has a serious need for some webmasterly help, and currently no one actively involved has the time to fill such a role. We are hereby asking if there are any volunteers in the community who would like to help out in this capacity, possibly as part of a webmaster team (depending on response). This job pays in karma only, unfortunately. This is a good opportunity to help

Dear Community, Xiph.org has a serious need for some webmasterly help, and currently no one actively involved has the time to fill such a role. We are hereby asking if there are any volunteers in the community who would like to help out in this capacity, possibly as part of a webmaster team (depending on response). This job pays in karma only, unfortunately. This is a good opportunity to help

Dear Community, Xiph.org has a serious need for some webmasterly help, and currently no one actively involved has the time to fill such a role. We are hereby asking if there are any volunteers in the community who would like to help out in this capacity, possibly as part of a webmaster team (depending on response). This job pays in karma only, unfortunately. This is a good opportunity to help

I suspect this has been asked before but I'll ask anyway. Q1: Is it possible for a non-root process to perform a chroot? My interest is this: I have a typical ISP hosting account (verio; on a FreeBSD 4.4 server.) I'd like to install and run various CGI packages, yet protect myself (and my email, and my .ssh keys) from bugs being exploited in those CGI packages. Chroot at the start

Hey everyone, I'm hoping someone can point me in the right direction. I'm running a 6.1 box with mac_bsdextended compiled. I've created my ugidfw rules, and all seems well in the universe. I've got rules set up so the web process uid 80 and gid 80 can only read uid 1010 and gid 1010 owned files. When the web server tries to do something else, it throws an error such as:

Hi List! Don't see much discussion about MAC here, time to change that! :-) Currently trying to set up a service jail, according to instructions in the handbook[1]. The problem I'm facing is that nullfs does not seem to support multilabeled filesystems, or am i missing something? ls -lZ /usr/js/testjail/var/run/test -rw-r--r-- 1 root wheel biba/equal 0 Feb 6 17:15

CentOS 7 server and Fedora 29 dev workstation, both with PHP 7.2, Apache 2.4, php-fpm, all updated. I have a web-based app I've been developing for some time, and recently the need to upload files of large size EG 1 GB or larger, has come up. So I wrote a /cgi-bin script that works, takes the input, and even runs the same application framework as the main application which normally

When I change file property - security from Windows, I can see both from packet sniffer and Samba code, that there are 4 types of "security information": Owner ID Reference Primary Group ID Reference Discretionary ACL Reference System ACL Reference So if I want to change the primary group name on a file, by right click on the file->property->security->advanced->select

> >For example (and this is only an example), a private namespace may be >assigned for each user at login time (at the level of the login shell). >Thus, the user''s "ls" commands see files in whatever directory the >private namespace is rooted, and for all intents and purposes it appears >to be an ordinary filesystem. Yet no other users can see this. User runs

Dear Community, Xiph.org has a serious need for some webmasterly help, and currently no one actively involved has the time to fill such a role. We are hereby asking if there are any volunteers in the community who would like to help out in this capacity, possibly as part of a webmaster team (depending on response). This job pays in karma only, unfortunately. This is a good opportunity to help

I've been scouring the web for a web based scheduler for use with icecast. Here is what I'm looking for: I want to be able to say "at X time, Y file/playlist will play" I want to be able to control icecast from the web I want to be able to lock control of this site with some form of authentication Preferably PHP, but ruby/rails would be good too. Any suggestions? --