diff options
Diffstat (limited to 'static/freebsd/man4/mac_seeotheruids.4 3.html')
| -rw-r--r-- | static/freebsd/man4/mac_seeotheruids.4 3.html | 93 |
1 files changed, 93 insertions, 0 deletions
diff --git a/static/freebsd/man4/mac_seeotheruids.4 3.html b/static/freebsd/man4/mac_seeotheruids.4 3.html new file mode 100644 index 00000000..746ec17e --- /dev/null +++ b/static/freebsd/man4/mac_seeotheruids.4 3.html @@ -0,0 +1,93 @@ +<table class="head"> + <tr> + <td class="head-ltitle">MAC_SEEOTHERUIDS(4)</td> + <td class="head-vol">Device Drivers Manual</td> + <td class="head-rtitle">MAC_SEEOTHERUIDS(4)</td> + </tr> +</table> +<div class="manual-text"> +<section class="Sh"> +<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1> +<p class="Pp"><code class="Nm">mac_seeotheruids</code> — + <span class="Nd">simple policy controlling whether users see other + users</span></p> +</section> +<section class="Sh"> +<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1> +<p class="Pp">To compile the policy into your kernel, place the following lines + in your kernel configuration file:</p> +<div class="Bd Pp Bd-indent"><code class="Cd">options MAC</code> +<br/> +<code class="Cd">options MAC_SEEOTHERUIDS</code></div> +<p class="Pp">Alternately, to load the module at boot time, place the following + line in your kernel configuration file:</p> +<div class="Bd Pp Bd-indent"><code class="Cd">options MAC</code></div> +<p class="Pp">and in <a class="Xr">loader.conf(5)</a>:</p> +<div class="Bd Pp Bd-indent Li"> +<pre>mac_seeotheruids_load="YES"</pre> +</div> +</section> +<section class="Sh"> +<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1> +<p class="Pp">The <code class="Nm">mac_seeotheruids</code> policy module, when + enabled, denies users to see processes or sockets owned by other users.</p> +<p class="Pp">To enable <code class="Nm">mac_seeotheruids</code>, set the sysctl + OID <var class="Va">security.mac.seeotheruids.enabled</var> to 1. To permit + superuser awareness of other credentials by virtue of privilege, set the + sysctl OID <var class="Va">security.mac.seeotheruids.suser_privileged</var> + to 1.</p> +<p class="Pp">To allow users to see processes and sockets owned by the same + primary group, set the sysctl OID + <var class="Va">security.mac.seeotheruids.primarygroup_enabled</var> to + 1.</p> +<p class="Pp">To allow processes with a specific group ID to be exempt from the + policy, set the sysctl OID + <var class="Va">security.mac.seeotheruids.specificgid_enabled</var> to 1, + and <var class="Va">security.mac.seeotheruids.specificgid</var> to the list + of group IDs to be exempted.</p> +<section class="Ss"> +<h2 class="Ss" id="Label_Format"><a class="permalink" href="#Label_Format">Label + Format</a></h2> +<p class="Pp">No labels are defined for + <code class="Nm">mac_seeotheruids</code>.</p> +</section> +</section> +<section class="Sh"> +<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE + ALSO</a></h1> +<p class="Pp"><a class="Xr">mac(4)</a>, <a class="Xr">mac_biba(4)</a>, + <a class="Xr">mac_bsdextended(4)</a>, <a class="Xr">mac_ddb(4)</a>, + <a class="Xr">mac_ifoff(4)</a>, <a class="Xr">mac_lomac(4)</a>, + <a class="Xr">mac_mls(4)</a>, <a class="Xr">mac_none(4)</a>, + <a class="Xr">mac_partition(4)</a>, <a class="Xr">mac_portacl(4)</a>, + <a class="Xr">mac_test(4)</a>, <a class="Xr">mac(9)</a></p> +</section> +<section class="Sh"> +<h1 class="Sh" id="HISTORY"><a class="permalink" href="#HISTORY">HISTORY</a></h1> +<p class="Pp">The <code class="Nm">mac_seeotheruids</code> policy module first + appeared in <span class="Ux">FreeBSD 5.0</span> and was developed by the + TrustedBSD Project.</p> +</section> +<section class="Sh"> +<h1 class="Sh" id="AUTHORS"><a class="permalink" href="#AUTHORS">AUTHORS</a></h1> +<p class="Pp">This software was contributed to the + <span class="Ux">FreeBSD</span> Project by Network Associates Labs, the + Security Research Division of Network Associates Inc. under DARPA/SPAWAR + contract N66001-01-C-8035 (“CBOSS”), as part of the DARPA + CHATS research program.</p> +</section> +<section class="Sh"> +<h1 class="Sh" id="BUGS"><a class="permalink" href="#BUGS">BUGS</a></h1> +<p class="Pp">While the MAC Framework design is intended to support the + containment of the root user, not all attack channels are currently + protected by entry point checks. As such, MAC Framework policies should not + be relied on, in isolation, to protect against a malicious privileged + user.</p> +</section> +</div> +<table class="foot"> + <tr> + <td class="foot-date">Februrary 26, 2026</td> + <td class="foot-os">FreeBSD 15.0</td> + </tr> +</table> |