1*410304e3SEmmanuel Vadot#!/bin/sh 2*410304e3SEmmanuel Vadot# 3*410304e3SEmmanuel Vadot# Copyright (c) 2004 Tom Rhodes 4*410304e3SEmmanuel Vadot# All rights reserved. 5*410304e3SEmmanuel Vadot# 6*410304e3SEmmanuel Vadot# Redistribution and use in source and binary forms, with or without 7*410304e3SEmmanuel Vadot# modification, are permitted provided that the following conditions 8*410304e3SEmmanuel Vadot# are met: 9*410304e3SEmmanuel Vadot# 1. Redistributions of source code must retain the above copyright 10*410304e3SEmmanuel Vadot# notice, this list of conditions and the following disclaimer. 11*410304e3SEmmanuel Vadot# 2. Redistributions in binary form must reproduce the above copyright 12*410304e3SEmmanuel Vadot# notice, this list of conditions and the following disclaimer in the 13*410304e3SEmmanuel Vadot# documentation and/or other materials provided with the distribution. 14*410304e3SEmmanuel Vadot# 15*410304e3SEmmanuel Vadot# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16*410304e3SEmmanuel Vadot# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17*410304e3SEmmanuel Vadot# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18*410304e3SEmmanuel Vadot# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19*410304e3SEmmanuel Vadot# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20*410304e3SEmmanuel Vadot# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21*410304e3SEmmanuel Vadot# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22*410304e3SEmmanuel Vadot# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23*410304e3SEmmanuel Vadot# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24*410304e3SEmmanuel Vadot# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25*410304e3SEmmanuel Vadot# SUCH DAMAGE. 26*410304e3SEmmanuel Vadot# 27*410304e3SEmmanuel Vadot# $FreeBSD$ 28*410304e3SEmmanuel Vadot# 29*410304e3SEmmanuel Vadot 30*410304e3SEmmanuel Vadot#### 31*410304e3SEmmanuel Vadot# Sample startup policy for the mac_bsdextended(4) security module. 32*410304e3SEmmanuel Vadot# 33*410304e3SEmmanuel Vadot# Suck in the system configuration variables. 34*410304e3SEmmanuel Vadot#### 35*410304e3SEmmanuel Vadotif [ -z "${source_rc_confs_defined}" ]; then 36*410304e3SEmmanuel Vadot if [ -r /etc/defaults/rc.conf ]; then 37*410304e3SEmmanuel Vadot . /etc/defaults/rc.conf 38*410304e3SEmmanuel Vadot source_rc_confs 39*410304e3SEmmanuel Vadot elif [ -r /etc/rc.conf ]; then 40*410304e3SEmmanuel Vadot . /etc/rc.conf 41*410304e3SEmmanuel Vadot fi 42*410304e3SEmmanuel Vadotfi 43*410304e3SEmmanuel Vadot 44*410304e3SEmmanuel Vadot#### 45*410304e3SEmmanuel Vadot# Set ugidfw(8) to CMD: 46*410304e3SEmmanuel Vadot#### 47*410304e3SEmmanuel VadotCMD=/usr/sbin/ugidfw 48*410304e3SEmmanuel Vadot 49*410304e3SEmmanuel Vadot#### 50*410304e3SEmmanuel Vadot# WARNING: recommended reading is the handbook's MAC 51*410304e3SEmmanuel Vadot# chapter and the ugidfw(8) manual page. You can 52*410304e3SEmmanuel Vadot# lock yourself out of the system very quickly by setting 53*410304e3SEmmanuel Vadot# incorrect values here. These are only examples. 54*410304e3SEmmanuel Vadot#### 55*410304e3SEmmanuel Vadot 56*410304e3SEmmanuel Vadot#### 57*410304e3SEmmanuel Vadot# Build a generic list of rules here, these should be 58*410304e3SEmmanuel Vadot# modified before using this script. 59*410304e3SEmmanuel Vadot# 60*410304e3SEmmanuel Vadot# For apache to read user files, the ruleadd must give 61*410304e3SEmmanuel Vadot# it permissions by default. 62*410304e3SEmmanuel Vadot#### 63*410304e3SEmmanuel Vadot#${CMD} add subject uid 80 object not uid 80 mode rxws; 64*410304e3SEmmanuel Vadot#${CMD} add subject gid 80 object not gid 80 mode rxws; 65*410304e3SEmmanuel Vadot 66*410304e3SEmmanuel Vadot#### 67*410304e3SEmmanuel Vadot# majordomo compat: 68*410304e3SEmmanuel Vadot#${CMD} add subject uid 54 object not uid 54 mode rxws; 69*410304e3SEmmanuel Vadot#${CMD} add subject gid 26 object gid 54 mode rxws; 70*410304e3SEmmanuel Vadot 71*410304e3SEmmanuel Vadot#### 72*410304e3SEmmanuel Vadot# This is for root: 73*410304e3SEmmanuel Vadot${CMD} add subject uid 0 object not uid 0 mode arxws; 74*410304e3SEmmanuel Vadot${CMD} add subject gid 0 object not gid 0 mode arxws; 75*410304e3SEmmanuel Vadot 76*410304e3SEmmanuel Vadot#### 77*410304e3SEmmanuel Vadot# And for majordomo: 78*410304e3SEmmanuel Vadot#${CMD} add subject uid 54 object not uid 54 mode rxws; 79*410304e3SEmmanuel Vadot#${CMD} add subject gid 54 object not gid 54 mode rxws; 80*410304e3SEmmanuel Vadot 81*410304e3SEmmanuel Vadot#### 82*410304e3SEmmanuel Vadot# And for bin: 83*410304e3SEmmanuel Vadot${CMD} add subject uid 3 object not uid 3 mode rxws; 84*410304e3SEmmanuel Vadot${CMD} add subject gid 7 object not gid 7 mode rxws; 85*410304e3SEmmanuel Vadot 86*410304e3SEmmanuel Vadot#### 87*410304e3SEmmanuel Vadot# And for mail/pop: 88*410304e3SEmmanuel Vadot#${CMD} add subject uid 68 object not uid 68 mode rxws; 89*410304e3SEmmanuel Vadot#${CMD} add subject gid 6 object not gid 6 mode arxws; 90*410304e3SEmmanuel Vadot 91*410304e3SEmmanuel Vadot#### 92*410304e3SEmmanuel Vadot# And for smmsp: 93*410304e3SEmmanuel Vadot${CMD} add subject uid 25 object not uid 25 mode rxws; 94*410304e3SEmmanuel Vadot${CMD} add subject gid 25 object not gid 25 mode rxws; 95*410304e3SEmmanuel Vadot 96*410304e3SEmmanuel Vadot#### 97*410304e3SEmmanuel Vadot# And for mailnull: 98*410304e3SEmmanuel Vadot${CMD} add subject uid 26 object not uid 26 mode rxws; 99*410304e3SEmmanuel Vadot${CMD} add subject gid 26 object not gid 26 mode rxws; 100*410304e3SEmmanuel Vadot 101*410304e3SEmmanuel Vadot#### 102*410304e3SEmmanuel Vadot# For cyrus: 103*410304e3SEmmanuel Vadot#${CMD} add subject uid 60 object not uid 60 mode rxws; 104*410304e3SEmmanuel Vadot#${CMD} add subject gid 60 object not gid 60 mode rxws; 105*410304e3SEmmanuel Vadot 106*410304e3SEmmanuel Vadot#### 107*410304e3SEmmanuel Vadot# For stunnel: 108*410304e3SEmmanuel Vadot#${CMD} add subject uid 1018 object not uid 1018 mode rxws; 109*410304e3SEmmanuel Vadot#${CMD} add subject gid 1018 object not gid 1018 mode rxws; 110*410304e3SEmmanuel Vadot 111*410304e3SEmmanuel Vadot#### 112*410304e3SEmmanuel Vadot# For the nobody account: 113*410304e3SEmmanuel Vadot${CMD} add subject uid 65534 object not uid 65534 mode rxws; 114*410304e3SEmmanuel Vadot${CMD} add subject gid 65534 object not gid 65534 mode rxws; 115*410304e3SEmmanuel Vadot 116*410304e3SEmmanuel Vadot#### 117*410304e3SEmmanuel Vadot# NOTICE: The next script adds a rule to allow 118*410304e3SEmmanuel Vadot# access their mailbox which is owned by GID `6'. 119*410304e3SEmmanuel Vadot# Removing this will give mailbox lock issues. 120*410304e3SEmmanuel Vadotfor x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' /etc/passwd`; 121*410304e3SEmmanuel Vadot do ${CMD} add subject uid $x object gid 6 mode arwxs; 122*410304e3SEmmanuel Vadotdone; 123*410304e3SEmmanuel Vadot 124*410304e3SEmmanuel Vadot#### 125*410304e3SEmmanuel Vadot# Use some script to get a list of users and 126*410304e3SEmmanuel Vadot# add all users to mode n for all other users. This 127*410304e3SEmmanuel Vadot# will isolate all users from other user home directories while 128*410304e3SEmmanuel Vadot# permitting them to use commands and browse the system. 129*410304e3SEmmanuel Vadotfor x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' /etc/passwd`; 130*410304e3SEmmanuel Vadot do ${CMD} add subject not uid $x object uid $x mode n; 131*410304e3SEmmanuel Vadotdone; 132*410304e3SEmmanuel Vadot 133*410304e3SEmmanuel Vadot### 134*410304e3SEmmanuel Vadot# Do the same thing but only for group ids in place of 135*410304e3SEmmanuel Vadot# user IDs. 136*410304e3SEmmanuel Vadotfor x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $3 }' /etc/passwd`; 137*410304e3SEmmanuel Vadot do ${CMD} add subject not gid $x object uid $x mode n; 138*410304e3SEmmanuel Vadotdone; 139