1.\" Copyright (c) 2002 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris Costello 5.\" at Safeport Network Services and Network Associates Laboratories, the 6.\" Security Research Division of Network Associates, Inc. under 7.\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the 8.\" DARPA CHATS research program. 9.\" 10.\" Redistribution and use in source and binary forms, with or without 11.\" modification, are permitted provided that the following conditions 12.\" are met: 13.\" 1. Redistributions of source code must retain the above copyright 14.\" notice, this list of conditions and the following disclaimer. 15.\" 2. Redistributions in binary form must reproduce the above copyright 16.\" notice, this list of conditions and the following disclaimer in the 17.\" documentation and/or other materials provided with the distribution. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" 31.\" $FreeBSD$ 32.Dd DECEMBER 8, 2002 33.Os 34.Dt MAC_SEEOTHERUIDS 4 35.Sh NAME 36.Nm mac_seeotheruids 37.Nd simple policy controlling whether users see other users 38.Sh SYNOPSIS 39To compile the mac_seeotheruids 40policy into your kernel, place the following lines in your kernel 41configuration file: 42.Cd "options MAC" 43.Cd "options MAC_SEEOTHERUIDS" 44.Pp 45Alternately, to load the module at boot time, place the following line 46in your kernel configuration file: 47.Cd "options MAC" 48.Pp 49and in 50.Xr loader.conf.5 : 51.Cd mac_seeotheruids_load= Ns \&"YES" 52.Sh DESCRIPTION 53The 54.Nm 55policy module, when enabled, denies users to see processes or sockets owned 56by other users. 57.Pp 58To enable 59.Nm , 60set the sysctl OID 61.Va security.mac.seeotheruids.enabled 62to 63.Li 1 . 64.Pp 65To allow users to see processes and sockets owned by the same primary group, 66set the sysctl OID 67.Va security.mac.seeotheruids.primarygroup_enabled 68to 69.Li 1 . 70.Pp 71To allow processes with a specific group ID to be exempt from the policy, 72set the sysctl OID 73.Va security.mac.seeotheruids.specificgid_enabled 74to 75.Li 1 , 76and 77.Va security.mac.seeotheruids.specificgid 78to the gid to be exempted. 79.Ss Label Format 80No labels are defined for 81.Nm . 82.Sh SEE ALSO 83.Xr mac 4 , 84.Xr mac_biba 4 , 85.Xr mac_bsdextended 4 , 86.Xr mac_ifoff 4 , 87.Xr mac_lomac 4 , 88.Xr mac_mls 4 , 89.Xr mac_partition 4 , 90.Xr mac_portacl 4 , 91.Xr mac_none 4 , 92.Xr mac_test 4 , 93.Xr mac 9 94.Sh HISTORY 95The 96.Nm 97policy module first appeared in 98.Fx 5.0 99and was developed by the TrustedBSD Project. 100.Sh AUTHORS 101This software was contributed to the 102.Fx 103Project by Network Associates Labs, 104the Security Research Division of Network Associates 105Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 106as part of the DARPA CHATS research program. 107.Sh BUGS 108See 109.Xr mac 9 110concerning appropriateness for production use. 111The TrustedBSD MAC Framework is considered experimental in 112.Fx . 113.Pp 114While the MAC Framework design is intended to support the containment of 115the root user, not all attack channels are currently protected by entry 116point checks. 117As such, MAC Framework policies should not be relied on, in isolation, 118to protect against a malicious privileged user. 119