mac_seeotheruids(4)

NAME

mac_seeotheruids - simple policy controlling whether users
see other users

SYNOPSIS

To  compile the policy into your kernel, place the following
lines in your
kernel configuration file:
      options MAC
      options MAC_SEEOTHERUIDS
Alternately, to load the module at boot time, place the following line in
your kernel configuration file:
      options MAC
and in loader.conf(5):
      mac_seeotheruids_load="YES"

DESCRIPTION

The mac_seeotheruids policy module, when enabled, denies
users to see processes or sockets owned by other users.
To enable mac_seeotheruids, set the sysctl OID security.mac.seeotheruids.enabled to 1.
To allow users to see processes and sockets owned by the
same primary group, set the sysctl OID
security.mac.seeotheruids.primarygroup_enabled to 1.
To allow processes with a specific group ID to be exempt
from the policy, set the sysctl OID
security.mac.seeotheruids.specificgid_enabled to 1, and security.mac.seeotheruids.specificgid to the group ID to
be exempted.
Label Format: No labels are defined for mac_seeotheruids.

HISTORY

The mac_seeotheruids policy module first appeared in FreeBSD
5.0 and was developed by the TrustedBSD Project.

AUTHORS

This software was contributed to the FreeBSD Project by Net
work Associates Labs, the Security Research Division of Network Associ
ates Inc. under DARPA/SPAWAR contract N66001-01-C-8035 (``CBOSS''), as
part of the DARPA CHATS research program.

BUGS

See mac(9) concerning appropriateness for production use.
The TrustedBSD MAC Framework is considered experimental in FreeBSD.
While the MAC Framework design is intended to support the
containment of the root user, not all attack channels are currently pro
tected by entry point checks. As such, MAC Framework policies should not be
relied on, in isolation, to protect against a malicious privileged us
er.
BSD December 8, 2002

docs.sk

comprehensive documentation repository

See also

mac_seeotheruids(4)

NAME

SYNOPSIS

DESCRIPTION

SEE ALSO

HISTORY

AUTHORS

BUGS