Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

FreeBSD Handbook
Prev Chapter 16 Mandatory Access Control Next

16.8 The MAC bsdextended Module

Module name: mac_bsdextended.ko

Kernel configuration line: options MAC_BSDEXTENDED

Boot option: mac_bsdextended_load="YES"

The mac_bsdextended(4) module enforces the file system firewall. This module's policy provides an extension to the standard file system permissions model, permitting an administrator to create a firewall-like ruleset to protect files, utilities, and directories in the file system hierarchy. When access to a file system object is attempted, the list of rules is iterated until either a matching rule is located or the end is reached. This behavior may be changed by the use of a sysctl(8) parameter, security.mac.bsdextended.firstmatch_enabled. Similar to other firewall modules in FreeBSD, a file containing access control rules can be created and read by the system at boot time using an rc.conf(5) variable.

The rule list may be entered using a utility, ugidfw(8), that has a syntax similar to that of ipfw(8). More tools can be written by using the functions in the libugidfw(3) library.

Extreme caution should be taken when working with this module; incorrect use could block access to certain parts of the file system.

16.8.1 Examples

After the mac_bsdextended(4) module has been loaded, the following command may be used to list the current rule configuration:

# ugidfw list
0 slots, 0 rules

As expected, there are no rules defined. This means that everything is still completely accessible. To create a rule which will block all access by users but leave root unaffected, simply run the following command:

# ugidfw add subject not uid root new object not uid root mode n

Note: In releases prior to FreeBSD 5.3, the add parameter did not exist. In those cases the set should be used instead. See below for a command example.

This is a very bad idea as it will block all users from issuing even the most simple commands, such as ls. A more patriotic list of rules might be:

# ugidfw set 2 subject uid user1 object uid user2 mode n
# ugidfw set 3 subject uid user1 object gid user2 mode n

This will block any and all access, including directory listings, to user2's home directory from the username user1.

In place of user1, the not uid user2 could be passed. This will enforce the same access restrictions above for all users in place of just one user.

Note: The root user will be unaffected by these changes.

This should provide a general idea of how the mac_bsdextended(4) module may be used to help fortify a file system. For more information, see the mac_bsdextended(4) and the ugidfw(8) manual pages.

Prev Home Next
The MAC seeotheruids Module Up The MAC ifoff Module

 
 
  Published under the terms of the FreeBSD Document Project