1.\" Copyright (c) 2002 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Laboratories, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. 9.\" 10.\" Redistribution and use in source and binary forms, with or without 11.\" modification, are permitted provided that the following conditions 12.\" are met: 13.\" 1. Redistributions of source code must retain the above copyright 14.\" notice, this list of conditions and the following disclaimer. 15.\" 2. Redistributions in binary form must reproduce the above copyright 16.\" notice, this list of conditions and the following disclaimer in the 17.\" documentation and/or other materials provided with the distribution. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" 31.\" $FreeBSD$ 32.\" 33.Dd October 6, 2005 34.Os 35.Dt MAC_SEEOTHERUIDS 4 36.Sh NAME 37.Nm mac_seeotheruids 38.Nd "simple policy controlling whether users see other users" 39.Sh SYNOPSIS 40To compile the 41policy into your kernel, place the following lines in your kernel 42configuration file: 43.Bd -ragged -offset indent 44.Cd "options MAC" 45.Cd "options MAC_SEEOTHERUIDS" 46.Ed 47.Pp 48Alternately, to load the module at boot time, place the following line 49in your kernel configuration file: 50.Bd -ragged -offset indent 51.Cd "options MAC" 52.Ed 53.Pp 54and in 55.Xr loader.conf 5 : 56.Bd -literal -offset indent 57mac_seeotheruids_load="YES" 58.Ed 59.Sh DESCRIPTION 60The 61.Nm 62policy module, when enabled, denies users to see processes or sockets owned 63by other users. 64.Pp 65To enable 66.Nm , 67set the sysctl OID 68.Va security.mac.seeotheruids.enabled 69to 1. 70To permit superuser awareness of other credentials by virtue of privilege, 71set the sysctl OID 72.Va security.mac.seeotheruids.suser_privileged 73to 1. 74.Pp 75To allow users to see processes and sockets owned by the same primary group, 76set the sysctl OID 77.Va security.mac.seeotheruids.primarygroup_enabled 78to 1. 79.Pp 80To allow processes with a specific group ID to be exempt from the policy, 81set the sysctl OID 82.Va security.mac.seeotheruids.specificgid_enabled 83to 1, and 84.Va security.mac.seeotheruids.specificgid 85to the group ID to be exempted. 86.Ss Label Format 87No labels are defined for 88.Nm . 89.Sh SEE ALSO 90.Xr mac 4 , 91.Xr mac_biba 4 , 92.Xr mac_bsdextended 4 , 93.Xr mac_ifoff 4 , 94.Xr mac_lomac 4 , 95.Xr mac_mls 4 , 96.Xr mac_none 4 , 97.Xr mac_partition 4 , 98.Xr mac_portacl 4 , 99.Xr mac_test 4 , 100.Xr mac 9 101.Sh HISTORY 102The 103.Nm 104policy module first appeared in 105.Fx 5.0 106and was developed by the 107.Tn TrustedBSD 108Project. 109.Sh AUTHORS 110This software was contributed to the 111.Fx 112Project by Network Associates Labs, 113the Security Research Division of Network Associates 114Inc. 115under DARPA/SPAWAR contract N66001-01-C-8035 116.Pq Dq CBOSS , 117as part of the DARPA CHATS research program. 118.Sh BUGS 119See 120.Xr mac 9 121concerning appropriateness for production use. 122The 123.Tn TrustedBSD 124MAC Framework is considered experimental in 125.Fx . 126.Pp 127While the MAC Framework design is intended to support the containment of 128the root user, not all attack channels are currently protected by entry 129point checks. 130As such, MAC Framework policies should not be relied on, in isolation, 131to protect against a malicious privileged user. 132