1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
<table class="head">
<tr>
<td class="head-ltitle">MAC_SEEOTHERUIDS(4)</td>
<td class="head-vol">Device Drivers Manual</td>
<td class="head-rtitle">MAC_SEEOTHERUIDS(4)</td>
</tr>
</table>
<div class="manual-text">
<section class="Sh">
<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1>
<p class="Pp"><code class="Nm">mac_seeotheruids</code> —
<span class="Nd">simple policy controlling whether users see other
users</span></p>
</section>
<section class="Sh">
<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1>
<p class="Pp">To compile the policy into your kernel, place the following lines
in your kernel configuration file:</p>
<div class="Bd Pp Bd-indent"><code class="Cd">options MAC</code>
<br/>
<code class="Cd">options MAC_SEEOTHERUIDS</code></div>
<p class="Pp">Alternately, to load the module at boot time, place the following
line in your kernel configuration file:</p>
<div class="Bd Pp Bd-indent"><code class="Cd">options MAC</code></div>
<p class="Pp">and in <a class="Xr">loader.conf(5)</a>:</p>
<div class="Bd Pp Bd-indent Li">
<pre>mac_seeotheruids_load="YES"</pre>
</div>
</section>
<section class="Sh">
<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1>
<p class="Pp">The <code class="Nm">mac_seeotheruids</code> policy module, when
enabled, denies users to see processes or sockets owned by other users.</p>
<p class="Pp">To enable <code class="Nm">mac_seeotheruids</code>, set the sysctl
OID <var class="Va">security.mac.seeotheruids.enabled</var> to 1. To permit
superuser awareness of other credentials by virtue of privilege, set the
sysctl OID <var class="Va">security.mac.seeotheruids.suser_privileged</var>
to 1.</p>
<p class="Pp">To allow users to see processes and sockets owned by the same
primary group, set the sysctl OID
<var class="Va">security.mac.seeotheruids.primarygroup_enabled</var> to
1.</p>
<p class="Pp">To allow processes with a specific group ID to be exempt from the
policy, set the sysctl OID
<var class="Va">security.mac.seeotheruids.specificgid_enabled</var> to 1,
and <var class="Va">security.mac.seeotheruids.specificgid</var> to the list
of group IDs to be exempted.</p>
<section class="Ss">
<h2 class="Ss" id="Label_Format"><a class="permalink" href="#Label_Format">Label
Format</a></h2>
<p class="Pp">No labels are defined for
<code class="Nm">mac_seeotheruids</code>.</p>
</section>
</section>
<section class="Sh">
<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE
ALSO</a></h1>
<p class="Pp"><a class="Xr">mac(4)</a>, <a class="Xr">mac_biba(4)</a>,
<a class="Xr">mac_bsdextended(4)</a>, <a class="Xr">mac_ddb(4)</a>,
<a class="Xr">mac_ifoff(4)</a>, <a class="Xr">mac_lomac(4)</a>,
<a class="Xr">mac_mls(4)</a>, <a class="Xr">mac_none(4)</a>,
<a class="Xr">mac_partition(4)</a>, <a class="Xr">mac_portacl(4)</a>,
<a class="Xr">mac_test(4)</a>, <a class="Xr">mac(9)</a></p>
</section>
<section class="Sh">
<h1 class="Sh" id="HISTORY"><a class="permalink" href="#HISTORY">HISTORY</a></h1>
<p class="Pp">The <code class="Nm">mac_seeotheruids</code> policy module first
appeared in <span class="Ux">FreeBSD 5.0</span> and was developed by the
TrustedBSD Project.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="AUTHORS"><a class="permalink" href="#AUTHORS">AUTHORS</a></h1>
<p class="Pp">This software was contributed to the
<span class="Ux">FreeBSD</span> Project by Network Associates Labs, the
Security Research Division of Network Associates Inc. under DARPA/SPAWAR
contract N66001-01-C-8035 (“CBOSS”), as part of the DARPA
CHATS research program.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="BUGS"><a class="permalink" href="#BUGS">BUGS</a></h1>
<p class="Pp">While the MAC Framework design is intended to support the
containment of the root user, not all attack channels are currently
protected by entry point checks. As such, MAC Framework policies should not
be relied on, in isolation, to protect against a malicious privileged
user.</p>
</section>
</div>
<table class="foot">
<tr>
<td class="foot-date">Februrary 26, 2026</td>
<td class="foot-os">FreeBSD 15.0</td>
</tr>
</table>
|
