Date: Wed, 05 Jun 2024 09:07:26 +0200 From: Alexander Leidinger <Alexander@Leidinger.net> To: Nicolas MASSE <Nicolas.MASSE@stormshield.eu> Cc: "freebsd-hackers@FreeBSD.org" <freebsd-hackers@freebsd.org> Subject: Re: Generic module for managing access through the mac framework Message-ID: <b4bc3f5a327553c514467315af4937ba@Leidinger.net> In-Reply-To: <3b62d55d66101bebd504a65f9b2706ab40edb712.camel@stormshield.eu> References: <3b62d55d66101bebd504a65f9b2706ab40edb712.camel@stormshield.eu>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --=_8943a02cfb2f99594f37a66a5ec51401 Content-Type: multipart/alternative; boundary="=_966ae685291f49a44a6c924e22d5600e" --=_966ae685291f49a44a6c924e22d5600e Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed Am 2024-06-04 16:47, schrieb Nicolas MASSE: > Hello, > > At my company, we are working on a generic mac module. Its purpose is > to grant some users a set of privileges in order to run their services. > > For example, it can be configured in order to allow the ntp user to set > the system clock (PRIV_CLOCK_SETTIME), or allow a process to change its > user or groups (PRIV_CRED_SET[UID|GID|GROUPS), restricting them to some > allowed values. > > After reading the discussions around the mac_do module, I was wondering > if other people could be interested in such a more generic module. > > Even though it doesn't do the exact same thing, it still has a lot in > common with mac_do while extending its capabilities. > > So far, it is still a work in progress so we don't have code to share > yet. Though I think it'd be interesting to speak about the idea. > > I can explain further how we plan to do this if any of you is > interested. This sounds a bit like the Solaris RBAC/privileges. https://docs.oracle.com/cd/E23824_01/html/821-1456/prbac-1.html#scrolltoc IMO it would be worth to include, as it allows a more fine grained access to privileged stuff without the need to handout full root permissions to some applications. Bye, Alexander. -- http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_966ae685291f49a44a6c924e22d5600e Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=UTF-8 <html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; charset= =3DUTF-8" /></head><body style=3D'font-size: 10pt; font-family: Verdana,Gen= eva,sans-serif'> <p id=3D"reply-intro">Am 2024-06-04 16:47, schrieb Nicolas MASSE:</p> <blockquote type=3D"cite" style=3D"padding: 0 0.4em; border-left: #1010ff 2= px solid; margin: 0"> <div id=3D"replybody1"> <div style=3D"text-align: left; direction: ltr;"> <pre class=3D"v1main">Hello,</pre> <pre class=3D"v1main"> </pre> <pre class=3D"v1main">At my company, we are working on a generic mac module= =2E Its purpose is to grant some users a set of privileges in order to run = their services.</pre> <pre class=3D"v1main">For example, it can be configured in order to allow t= he ntp user to set the system clock (PRIV_CLOCK_SETTIME), or allow a proces= s to change its user or groups (PRIV_CRED_SET[UID|GID|GROUPS), restricting = them to some allowed values.</pre> <pre class=3D"v1main">After reading the discussions around the mac_do modul= e, I was wondering if other people could be interested in such a more gener= ic module.</pre> <pre class=3D"v1main">Even though it doesn't do the exact same thing, it st= ill has a lot in common with mac_do while extending its capabilities.</pre> <pre class=3D"v1main"> </pre> <pre class=3D"v1main">So far, it is still a work in progress so we don't ha= ve code to share yet. Though I think it'd be interesting to speak about the= idea.</pre> <pre class=3D"v1main">I can explain further how we plan to do this if any o= f you is interested.</pre> </div> </div> </blockquote> <p>This sounds a bit like the Solaris RBAC/privileges.</p> <p> <a href=3D"https://docs.oracle.com/cd/E23824_01/html/821-1456/prb= ac-1.html#scrolltoc">https://docs.oracle.com/cd/E23824_01/html/821-1456/prb= ac-1.html#scrolltoc</a></p> <p>IMO it would be worth to include, as it allows a more fine grained acces= s to privileged stuff without the need to handout full root permissions to = some applications.</p> <p>Bye,<br />Alexander.</p> <div id=3D"signature">-- <br /> <div class=3D"pre" style=3D"margin: 0; padding: 0; font-family: monospace">= <a href=3D"http://www.Leidinger.net" target=3D"_blank" rel=3D"noopener nore= ferrer">http://www.Leidinger.net</a>; <a href=3D"mailto:Alexander@Leidinger.= net:">Alexander@Leidinger.net:</a> PGP 0x8F31830F9F2772BF<br /><a href=3D"h= ttp://www.FreeBSD.org" target=3D"_blank" rel=3D"noopener noreferrer">http:/= /www.FreeBSD.org</a> <a href=3D"mailto:netchild@FreeBSD.org">n= etchild@FreeBSD.org</a> : PGP 0x8F31830F9F2772BF</div> </div> </body></html> --=_966ae685291f49a44a6c924e22d5600e-- --=_8943a02cfb2f99594f37a66a5ec51401 Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc; size=833 Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIyBAEBCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmZgDr0ACgkQEg2wmwP4 2IbD9w/4zCLzPwmKUwCS6rV+jda6quZx1k6vRIz8Bl1QQ+ej25HSka5NaGPgs01z Mg1+bVa/ODz9VFONfJSUw1cMx0FuqRC5V6nAcbkmWaHmKKXsrwsmmJHnwtZJ8Kwo Y3xyBLEhhtxkUes+VjxK6OtA3KiG+YDIwZZILLZdS8zPanwozp56lTneate7TBZi 4Oc9y7ACK4PNVTE+DN3br6bPBGo5J+/OvPzn9NPOx3Wgm0O0RcHrL8UxFyuQIl1e XWQtMAarR+FBfKQ/L7YIQiNtwUHmMn5OOt27eBRMnWd3cRCVoK+u1qdSDiN6clcu 8UNtjbbASN3pcsml6LMJSUEP2JR5cQu2kMei1Yru1xs+5scGD1Djq8rIzmCC+Qrb E5DFgiQBwLpBpCobLkJ6hAGPJRKBt6EKyCbVL96vwUjgWNuyAMZV5warq54WZtJE NesPlYXyCFFUnNwlsNuREpkU4ukHPMzDqC7YylCKqdIPHTtXg2SYjH54W88upimx rjXRqIEqYZNgIOqSctXTC47nUI6/QhHr3uCVtySbkRgcYTBMYTuItImQICsfBGe+ W8+7fclxtPolnTcMplJvX4m0BTkX22Oz99XEwdX4WOjD/SotZdCL5Z4OFMsPk+qg FwfXsRzO9Ri0GVvtCkjOrBZIDhd59b2sjujtrg8KTaKyO+WixA== =V8tI -----END PGP SIGNATURE----- --=_8943a02cfb2f99594f37a66a5ec51401--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b4bc3f5a327553c514467315af4937ba>