Date: Sat, 11 Oct 2025 03:55:40 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 290140] mdo(1) and mac_do(4) not working on 15ALPHA5 Message-ID: <bug-290140-227@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=290140 Bug ID: 290140 Summary: mdo(1) and mac_do(4) not working on 15ALPHA5 Product: Base System Version: 15.0-STABLE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: 0x1eef@protonmail.com My system: FreeBSD orca.home.network 15.0-ALPHA5-HBSD FreeBSD 15.0-ALPHA5-HBSD HARDENEDBSD amd64 My environment: HEAD is e504946ee119c4bd3940bea798bd47e85b0a25d0 Problem: The mac_do man page suggests that we separate the source and target parts of a rule with the > character. Let's try that: root@orca:~ # sysctl security.mac.do.rules=uid=1001>uid=0,gid=0 sysctl: security.mac.do.rules=uid=1001: Invalid argument Hm. Doesn't work. But the old syntax does work: root@orca:~ # sysctl security.mac.do.rules=uid=1001:uid=0,gid=0 security.mac.do.rules: uid=1001:uid=0,gid=0 -> uid=1001:uid=0,gid=0 Now let's try use mdo as user with id 1001. 0x1eef at orca.home.network [~] % id uid=1001(0x1eef) gid=1001(0x1eef) groups=0(wheel),1001(0x1eef),1002(_sourcezap),1003(_portzap) 0x1eef at orca.home.network [~] % mdo -u root ls mdo: setcred(): Operation not permitted I would have expected the command to work, given the rule that has been set. 0x1eef at orca.home.network [~] % sysctl -a | grep security.mac.do security.mac.do.rules: uid=1001:uid=0,gid=0 security.mac.do.print_parse_error: 1 security.mac.do.enabled: 1 -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-290140-227>