From owner-freebsd-current@FreeBSD.ORG  Wed Jan 21 09:57:51 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 6F90516A4CE; Wed, 21 Jan 2004 09:57:51 -0800 (PST)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 5807B43D46; Wed, 21 Jan 2004 09:57:22 -0800 (PST)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (localhost [127.0.0.1])
	by fledge.watson.org (8.12.10/8.12.10) with ESMTP id i0LHtIUd044023;
	Wed, 21 Jan 2004 12:55:18 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Received: from localhost (robert@localhost)i0LHtIof044020;
	Wed, 21 Jan 2004 12:55:18 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Date: Wed, 21 Jan 2004 12:55:18 -0500 (EST)
From: Robert Watson <rwatson@FreeBSD.org>
X-Sender: robert@fledge.watson.org
To: Josef Karthauser <joe@FreeBSD.org>
In-Reply-To: <20040121173956.GH68003@genius.tao.org.uk>
Message-ID: <Pine.NEB.3.96L.1040121125108.36551B-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-current@FreeBSD.org
Subject: Re: Policy for a user that can't write any files (apart from in
	/tmp).
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jan 2004 17:57:51 -0000


On Wed, 21 Jan 2004, Josef Karthauser wrote:

> Is it possible now-a-days with MAC, etc, to set a per user policy such
> that the user doesn't have permissions to write to the file system? 
> I've got a remote user that's logging in to make backup, and it would be
> really cool to prevent them from modifying anything with out futzing
> with file permissions and groups. 

Take a look at mac_bsdextended.  The policy rule language isn't very
mature, but should be able to do pretty much what you're looking for.  Be
aware, however, that what you want is probably not what you're asking for.
For example, regardless of wanting them to write to a file system, you
probably do want them to be able to write to their terminal device,
/dev/null, etc.  If you're interested in looking more at mac_bsdextended
and how to enhance the rule language, I'd be happy to help out.  The goal
was to allow policy rules to be set n a type-enforcement like way, but
without introducing domains and types, which have a high administrative
overhead.  One of the things it reall needs is a notion of user/group set,
so that you can define sets of users and groups affected by rules in a
more administrator-friendly way (not to mention more rule-efficient).
Also, if it had a 'self' identifier, you could more easily express notions
like "Users can only write to things they own".

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Senior Research Scientist, McAfee Research