Date: Mon, 13 Oct 2025 08:57:57 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 290140] mdo(1) and mac_do(4) not working on 15ALPHA5 Message-ID: <bug-290140-227-6JyXAvlxjD@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-290140-227@https.bugs.freebsd.org/bugzilla/> References: <bug-290140-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D290140 Olivier Certner <olce@FreeBSD.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|regression | Status|New |Closed Assignee|bugs@FreeBSD.org |olce@FreeBSD.org Resolution|--- |Works As Intended --- Comment #4 from Olivier Certner <olce@FreeBSD.org> --- Hi, The "new syntax" (well, we are just talking about the ":" =3D> ">" change) = works as the old (and as you noted, ":" is still accepted). Effectively, ">" is a special character to the shell and you have to quote it. Obviously, this drawback was considered when changing the separator between the from/to par= ts of a rule, but was then deemed a minor inconvenience compared to having a m= ore readable rule specification (":" is very much associated to path separation= in UNIX, and catches the eye too much IMO, whereas this is not the separator between rules but just inside rules between parts; and ">" is supposed to e= voke an arrow, helping visualize the authorized transition). The plan was to deprecate ":" at some point (that's why it was removed from the documentati= on; not before 16 in any case), but if people absolutely prefer ":", we can as = well keep it indefinitely. The "Operation not permitted" you are observing is perfectly normal (and it= is not a regression). As explained in the manual page, if you specify a clause with type "gid" in the "to" part of a rule, then no default are applied for groups and you get what you asked for. In your example, only 0 is allowed = for primary groups (real, effective, saved variants) and *no supplementary grou= ps* are allowed at all. This is not going to work on regular installations, wh= ere 'root' is a member of the 'wheel' and 'operator' supplementary groups. So = what you want instead if you want to be very-fine grained is: sysctl security.mac.do.rules=3D'uid=3D1001>uid=3D0,gid=3D0,+gid=3D0,+gid=3D= 5' --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-290140-227-6JyXAvlxjD>