From owner-p4-projects@FreeBSD.ORG Thu Oct 2 19:52:56 2008 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 983C51065698; Thu, 2 Oct 2008 19:52:56 +0000 (UTC) Delivered-To: perforce@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 26449106568E for ; Thu, 2 Oct 2008 19:52:56 +0000 (UTC) (envelope-from rene@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id 141818FC0C for ; Thu, 2 Oct 2008 19:52:56 +0000 (UTC) (envelope-from rene@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.3/8.14.3) with ESMTP id m92JqtD4012927 for ; Thu, 2 Oct 2008 19:52:55 GMT (envelope-from rene@FreeBSD.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.3/8.14.3/Submit) id m92JqtAt012925 for perforce@freebsd.org; Thu, 2 Oct 2008 19:52:55 GMT (envelope-from rene@FreeBSD.org) Date: Thu, 2 Oct 2008 19:52:55 GMT Message-Id: <200810021952.m92JqtAt012925@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to rene@FreeBSD.org using -f From: Rene Ladan To: Perforce Change Reviews Cc: Subject: PERFORCE change 150813 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2008 19:52:56 -0000 http://perforce.freebsd.org/chv.cgi?CH=150813 Change 150813 by rene@rene_self on 2008/10/02 19:52:40 Fix some nits in revision 1.73 of the MAC chapter, propagate the changes to the Dutch version where applicable. Checked build (nl + en). Affected files ... .. //depot/projects/docproj_nl/en_US.ISO8859-1/books/handbook/mac/chapter.sgml#5 edit .. //depot/projects/docproj_nl/nl_NL.ISO8859-1/books/handbook/mac/chapter.sgml#9 edit Differences ... ==== //depot/projects/docproj_nl/en_US.ISO8859-1/books/handbook/mac/chapter.sgml#5 (text+ko) ==== @@ -700,7 +700,7 @@ implement the labeling feature, including the Biba, Lomac, MLS and SEBSD policies. - + In many cases, the may not need to be set at all. Consider the following situation and security model: @@ -967,12 +967,6 @@ &prompt.root; ugidfw add subject not uid root new object not uid root mode n - - In releases prior to &os; 5.3, the - add parameter did not exist. In those - cases the set should be used - instead. See below for a command example. - This is a very bad idea as it will block all users from issuing even the most simple commands, such as ls. A more patriotic list of rules @@ -1427,6 +1421,7 @@ company information, and financial institution environments. The most unlikely place would be a personal workstation with only two or three users. + @@ -1552,7 +1547,7 @@ to. The &man.mac.biba.4; security policy module permits an - administrator to address which files and programs a user or + administrator to address which files and programs a user or users may see and invoke while assuring that the programs and files are free from threats and trusted by the system for that user, or group of users. @@ -1570,7 +1565,7 @@ utilities. While other users would be grouped into other categories such as testers, designers, or just ordinary users and would only be permitted read access. - + With its natural security control, a lower integrity subject is unable to write to a higher integrity subject; a higher integrity subject cannot observe or read a lower integrity @@ -1733,7 +1728,7 @@ www users into the insecure class: &prompt.root; pw usermod nagios -L insecure - &prompt.root; pw usermod www -L insecure + &prompt.root; pw usermod www -L insecure @@ -1887,7 +1882,7 @@ &man.mac.seeotheruids.4; could co-exist and block access not only to system objects but to hide user processes as well. - Begin by adding the following lines to + Begin by adding the following line to /boot/loader.conf: mac_seeotheruids_enabled="YES" @@ -2032,9 +2027,10 @@ Error: &man..secure.path.3; cannot stat <filename>.login_conf</filename> - When I attempt to switch from the root + When I attempt to switch from the root user to another user in the system, the error message - _secure_path: unable to state .login_conf. + _secure_path: unable to state .login_conf + appears. This message is usually shown when the user has a higher label setting then that of the user whom they are attempting to ==== //depot/projects/docproj_nl/nl_NL.ISO8859-1/books/handbook/mac/chapter.sgml#9 (text+ko) ==== @@ -1066,13 +1066,6 @@ &prompt.root; ugidfw add subject not uid root new object not uid root mode n - - In versies voor &os; 5.3 bestond de parameter - add niet. In die gevallen dient in - plaats daarvan set gebruikt te worden - als in het onderstaande voorbeeld. - - Dit is een slecht idee, omdat het voorkomt dat alle gebruikers ook maar het meest eenvoudige commando kunnen uitvoeren, zoals ls. Een betere lijst met @@ -1534,7 +1527,7 @@ instellingen zijn. De meest onwaarschijnlijke plaats zou een persoonlijk werkstation met slechts twee of drie gebruikers zijn. - + @@ -1865,7 +1858,7 @@ /dev biba/equal /dev/* biba/equal -/var biba/equal +/var biba/equal /var/spool biba/equal /var/spool/* biba/equal @@ -1999,8 +1992,8 @@ met &man.mac.seeotheruids.4; naast elkaar bestaan en zowel toegang tot systeemobjecten als tot gebruikersprocessen ontzeggen. - Begin door de volgende regels aan - /boot/loader.conf toe te voegen: + Begin door de volgende regel aan + /boot/loader.conf toe te voegen: mac_seeotheruids_enabled="YES" @@ -2142,7 +2135,7 @@ Bij het wisselen van root naar een andere gebruiker in het systeem, verschijnt de foutmelding - _secure_path: unable to state .login_conf. + _secure_path: unable to state .login_conf. Deze melding komt meestal voor als de gebruiker een hogere labelinstelling heeft dan de gebruiker waarnaar wordt