Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 05 Jun 2024 09:07:26 +0200
From:      Alexander Leidinger <Alexander@Leidinger.net>
To:        Nicolas MASSE <Nicolas.MASSE@stormshield.eu>
Cc:        "freebsd-hackers@FreeBSD.org" <freebsd-hackers@freebsd.org>
Subject:   Re: Generic module for managing access through the mac framework
Message-ID:  <b4bc3f5a327553c514467315af4937ba@Leidinger.net>
In-Reply-To: <3b62d55d66101bebd504a65f9b2706ab40edb712.camel@stormshield.eu>
References:  <3b62d55d66101bebd504a65f9b2706ab40edb712.camel@stormshield.eu>

next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)

--=_8943a02cfb2f99594f37a66a5ec51401
Content-Type: multipart/alternative;
 boundary="=_966ae685291f49a44a6c924e22d5600e"

--=_966ae685291f49a44a6c924e22d5600e
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII;
 format=flowed

Am 2024-06-04 16:47, schrieb Nicolas MASSE:

> Hello,
> 
> At my company, we are working on a generic mac module. Its purpose is 
> to grant some users a set of privileges in order to run their services.
> 
> For example, it can be configured in order to allow the ntp user to set 
> the system clock (PRIV_CLOCK_SETTIME), or allow a process to change its 
> user or groups (PRIV_CRED_SET[UID|GID|GROUPS), restricting them to some 
> allowed values.
> 
> After reading the discussions around the mac_do module, I was wondering 
> if other people could be interested in such a more generic module.
> 
> Even though it doesn't do the exact same thing, it still has a lot in 
> common with mac_do while extending its capabilities.
> 
> So far, it is still a work in progress so we don't have code to share 
> yet. Though I think it'd be interesting to speak about the idea.
> 
> I can explain further how we plan to do this if any of you is 
> interested.

This sounds a bit like the Solaris RBAC/privileges.

   
https://docs.oracle.com/cd/E23824_01/html/821-1456/prbac-1.html#scrolltoc

IMO it would be worth to include, as it allows a more fine grained 
access to privileged stuff without the need to handout full root 
permissions to some applications.

Bye,
Alexander.

-- 
http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netchild@FreeBSD.org  : PGP 0x8F31830F9F2772BF
--=_966ae685291f49a44a6c924e22d5600e
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset=UTF-8

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; charset=
=3DUTF-8" /></head><body style=3D'font-size: 10pt; font-family: Verdana,Gen=
eva,sans-serif'>
<p id=3D"reply-intro">Am 2024-06-04 16:47, schrieb Nicolas MASSE:</p>
<blockquote type=3D"cite" style=3D"padding: 0 0.4em; border-left: #1010ff 2=
px solid; margin: 0">
<div id=3D"replybody1">
<div style=3D"text-align: left; direction: ltr;">
<pre class=3D"v1main">Hello,</pre>
<pre class=3D"v1main">&nbsp;</pre>
<pre class=3D"v1main">At my company, we are working on a generic mac module=
=2E Its purpose is to grant some users a set of privileges in order to run =
their services.</pre>
<pre class=3D"v1main">For example, it can be configured in order to allow t=
he ntp user to set the system clock (PRIV_CLOCK_SETTIME), or allow a proces=
s to change its user or groups (PRIV_CRED_SET[UID|GID|GROUPS), restricting =
them to some allowed values.</pre>
<pre class=3D"v1main">After reading the discussions around the mac_do modul=
e, I was wondering if other people could be interested in such a more gener=
ic module.</pre>
<pre class=3D"v1main">Even though it doesn't do the exact same thing, it st=
ill has a lot in common with mac_do while extending its capabilities.</pre>
<pre class=3D"v1main">&nbsp;</pre>
<pre class=3D"v1main">So far, it is still a work in progress so we don't ha=
ve code to share yet. Though I think it'd be interesting to speak about the=
 idea.</pre>
<pre class=3D"v1main">I can explain further how we plan to do this if any o=
f you is interested.</pre>
</div>
</div>
</blockquote>
<p>This sounds a bit like the Solaris RBAC/privileges.</p>
<p>&nbsp; <a href=3D"https://docs.oracle.com/cd/E23824_01/html/821-1456/prb=
ac-1.html#scrolltoc">https://docs.oracle.com/cd/E23824_01/html/821-1456/prb=
ac-1.html#scrolltoc</a></p>
<p>IMO it would be worth to include, as it allows a more fine grained acces=
s to privileged stuff without the need to handout full root permissions to =
some applications.</p>
<p>Bye,<br />Alexander.</p>
<div id=3D"signature">-- <br />
<div class=3D"pre" style=3D"margin: 0; padding: 0; font-family: monospace">=
<a href=3D"http://www.Leidinger.net" target=3D"_blank" rel=3D"noopener nore=
ferrer">http://www.Leidinger.net</a>; <a href=3D"mailto:Alexander@Leidinger.=
net:">Alexander@Leidinger.net:</a> PGP 0x8F31830F9F2772BF<br /><a href=3D"h=
ttp://www.FreeBSD.org" target=3D"_blank" rel=3D"noopener noreferrer">http:/=
/www.FreeBSD.org</a> &nbsp; &nbsp;<a href=3D"mailto:netchild@FreeBSD.org">n=
etchild@FreeBSD.org</a> &nbsp;: PGP 0x8F31830F9F2772BF</div>
</div>
</body></html>

--=_966ae685291f49a44a6c924e22d5600e--


--=_8943a02cfb2f99594f37a66a5ec51401
Content-Type: application/pgp-signature;
 name=signature.asc
Content-Disposition: attachment;
 filename=signature.asc;
 size=833
Content-Description: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----

iQIyBAEBCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmZgDr0ACgkQEg2wmwP4
2IbD9w/4zCLzPwmKUwCS6rV+jda6quZx1k6vRIz8Bl1QQ+ej25HSka5NaGPgs01z
Mg1+bVa/ODz9VFONfJSUw1cMx0FuqRC5V6nAcbkmWaHmKKXsrwsmmJHnwtZJ8Kwo
Y3xyBLEhhtxkUes+VjxK6OtA3KiG+YDIwZZILLZdS8zPanwozp56lTneate7TBZi
4Oc9y7ACK4PNVTE+DN3br6bPBGo5J+/OvPzn9NPOx3Wgm0O0RcHrL8UxFyuQIl1e
XWQtMAarR+FBfKQ/L7YIQiNtwUHmMn5OOt27eBRMnWd3cRCVoK+u1qdSDiN6clcu
8UNtjbbASN3pcsml6LMJSUEP2JR5cQu2kMei1Yru1xs+5scGD1Djq8rIzmCC+Qrb
E5DFgiQBwLpBpCobLkJ6hAGPJRKBt6EKyCbVL96vwUjgWNuyAMZV5warq54WZtJE
NesPlYXyCFFUnNwlsNuREpkU4ukHPMzDqC7YylCKqdIPHTtXg2SYjH54W88upimx
rjXRqIEqYZNgIOqSctXTC47nUI6/QhHr3uCVtySbkRgcYTBMYTuItImQICsfBGe+
W8+7fclxtPolnTcMplJvX4m0BTkX22Oz99XEwdX4WOjD/SotZdCL5Z4OFMsPk+qg
FwfXsRzO9Ri0GVvtCkjOrBZIDhd59b2sjujtrg8KTaKyO+WixA==
=V8tI
-----END PGP SIGNATURE-----

--=_8943a02cfb2f99594f37a66a5ec51401--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b4bc3f5a327553c514467315af4937ba>