Module name: mac_bsdextended.ko
Kernel configuration line:
options MAC_BSDEXTENDED
Boot option:
mac_bsdextended_load="YES"
The mac_bsdextended(4) module enforces the file system firewall. This module's policy provides an extension to the standard file system permissions model, permitting an administrator to create a firewall-like ruleset to protect files, utilities, and directories in the file system hierarchy.
The policy may be created using a utility, ugidfw(8), that has a syntax similar to that of ipfw(8). More tools can be written by using the functions in the libugidfw(3) library.
Extreme caution should be taken when working with this module; incorrect use could block access to certain parts of the file system.
After the mac_bsdextended(4) module has been loaded, the following command may be used to list the current rule configuration:
#
ugidfw list
0 slots, 0 rules
As expected, there are no rules defined. This means that
everything is still completely accessible. To create a rule
which will block all access by users but leave
root
unaffected, simply run the
following command:
#
ugidfw add subject not uid root new object not uid root mode n
In releases prior to FreeBSD 5.3, the
add
parameter did not exist. In those
cases the set
should be used
instead. See below for a command example.
This is a very bad idea as it will block all users from
issuing even the most simple commands, such as
ls
. A more patriotic list of rules
might be:
#
ugidfw set 2 subject uid user1 object uid user2 mode n
#
ugidfw set 3 subject uid user1 object gid user2 mode n
This will block any and all access, including directory
listings, to
's home
directory from the username user2
user1
.
In place of user1
, the
not uid
could
be passed. This will enforce the same access restrictions
above for all users in place of just one user.user2
The root
user will be unaffected
by these changes.
This should give a general idea of how the mac_bsdextended(4) module may be used to help fortify a file system. For more information, see the mac_bsdextended(4) and the ugidfw(8) manual pages.
本文及其他文件,可由此下載: ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/。
若有 FreeBSD 方面疑問,請先閱讀
FreeBSD 相關文件,如不能解決的話,再洽詢
<questions@FreeBSD.org>。
關於本文件的問題,請洽詢
<doc@FreeBSD.org>。