Add another simple example to lock down user resources. Remove the
commented out sandbox entry, we already have something above.
This commit is contained in:
Tom Rhodes
parent
bb455d5117
commit
9b2a54868c
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=27616
1 changed files with 46 additions and 7 deletions
|
|
@ -1916,16 +1916,55 @@ setpmac biba/10 /usr/local/etc/rc.d/nagios.sh forcestart</userinput></screen>
|
|||
</sect2>
|
||||
</sect1>
|
||||
|
||||
<!--
|
||||
XXX
|
||||
<sect1 id="mac-userlocked">
|
||||
<title>User Lock Down</title>
|
||||
|
||||
<sect1 id="mac-examplesandbox">
|
||||
<title>An Example of a MAC Sandbox</title>
|
||||
<para>This example considers a relatively small, fewer than fifty
|
||||
users, storage system. Users would have login capabilities, and
|
||||
be permitted to not only store data but access resources as
|
||||
well.</para>
|
||||
|
||||
<para>An example of placing users in a sandbox using
|
||||
<acronym>MAC</acronym> should go here.</para>
|
||||
<para>For this scenario, the &man.mac.bsdextended.4; mixed with
|
||||
&man.mac.seeotheruids.4; could co-exist and block access not
|
||||
only to system objects but to hide user processes as well.
|
||||
|
||||
<para>Begin by adding the following lines to
|
||||
<filename>/boot/loader.conf</filename>:</para>
|
||||
|
||||
<programlisting>mac_seeotheruids_enabled="YES"</programlisting>
|
||||
|
||||
<para>The &man.mac.bsdextended.4; security policy module may be
|
||||
activated through the use of the following rc.conf
|
||||
variable:</para>
|
||||
|
||||
<programlisting>ugidfw_enable="YES"</programlisting>
|
||||
|
||||
<para>Default rules stored in
|
||||
<filename>/etc/rc.bsdextended</filename> will be loaded at system
|
||||
initialization; however, the default entries may need
|
||||
modification. Since this machine is expected only to service
|
||||
users, everything may be left commented out except the last
|
||||
two. These will force the loading of user owned system objects
|
||||
by default.</para>
|
||||
|
||||
<para>Add the required users to this machine and reboot. For
|
||||
testing purposes, try logging in as a different user across two
|
||||
consoles. Run the <command>ps aux</command> command to see if
|
||||
processes of other users are visible. Try to run &man.ls.1; on
|
||||
another users home directory, it should fail.</para>
|
||||
|
||||
<para>Do not try to test with the <username>root</username> user
|
||||
unless the specific <command>sysctl</command>s have been modified
|
||||
to block super user access.</para>
|
||||
|
||||
<note>
|
||||
<para>When a new user is added, their &man.mac.bsdextended.4;
|
||||
rule will not be in the ruleset list. To update the ruleset
|
||||
quickly, simply unload the security policy module and reload
|
||||
it again using the &man.kldunload.8; and &man.kldload.8;
|
||||
utilities.</para>
|
||||
</note>
|
||||
</sect1>
|
||||
-->
|
||||
|
||||
<sect1 id="mac-troubleshoot">
|
||||
<title>Troubleshooting the MAC Framework</title>
|
||||
|
|
|
|||
Loading…
Reference in a new issue