1.\"- 2.\" SPDX-License-Identifier: BSD-2-Clause 3.\" 4.\" Copyright (c) 2024 Baptiste Daroussin <bapt@FreeBSD.org> 5.\" Copyright (c) 2025 Kushagra Srivastava <kushagra1403@gmail.com> 6.\" Copyright (c) 2025 The FreeBSD Foundation 7.\" 8.\" Portions of this documentation were written by Olivier Certner 9.\" <olce@FreeBSD.org> at Kumacom SARL under sponsorship from the FreeBSD 10.\" Foundation. 11.\" 12.Dd November 26, 2025 13.Dt MDO 1 14.Os 15.Sh NAME 16.Nm mdo 17.Nd execute commands with specific credentials 18.Sh SYNOPSIS 19.Nm 20.Op Fl u Ar user | Fl k 21.Op Fl i 22.Op Fl g Ar group 23.Op Fl G Ar group1,group2,... 24.Op Fl s Ar groups_mod1,groups_mod2,... 25.Op Fl h 26.Op Fl -ruid Ar user 27.Op Fl -svuid Ar user 28.Op Fl -euid Ar user 29.Op Fl -rgid Ar group 30.Op Fl -svgid Ar group 31.Op Fl -egid Ar group 32.Op -- 33.Op Ar command Op Ar args ... 34.Sh DESCRIPTION 35The 36.Nm 37utility executes the passed 38.Ar command 39with the requested process credentials or, if no 40.Ar command 41was specified, the program whose path is the value of the 42.Ev SHELL 43environment variable or 44.Pa /bin/sh 45if that variable is unset. 46The calling user must either be the superuser 47.Pq effective user ID of 0 48or the credentials transition from the caller's to the requested ones must be 49authorized by a MAC module such as 50.Xr mac_do 4 . 51The target process credentials are applied atomically using 52.Xr setcred 2 . 53.Pp 54Process credentials comprise the real, effective and saved user IDs, the real, 55effective and saved group IDs, hereby called the 56.Dq primary 57groups, and the supplementary groups as a set of group IDs. 58Below, the 59.Dq user 60phrase implies that the real, effective and saved user IDs all have or are going 61to be set to the same value. 62The 63.Dq primary group 64phrase is used similarly with respect to primary groups. 65.Pp 66The target process credentials have to be fully specified, either explicitly by 67listing all attributes and their requested values, or indirectly by establishing 68a baseline that provides a default value for each attribute, which can then be 69amended by additional options. 70.Pp 71Possible baselines are either the full set of credentials established at login 72for a specific named user, the current credentials, or the current credentials' 73primary and supplementary groups which implies some user is specified 74explicitly. 75They are respectively established by using either option 76.Fl u 77with a named user argument, option 78.Fl k , 79or option 80.Fl i 81in conjunction with 82.Fl u 83or no other options. 84If no other option than 85.Fl i 86appears, a default of 87.Fl u Cm root 88is implied. 89.Pp 90The primary group can be set or amended with option 91.Fl g , 92whereas the supplementary groups can be either fully replaced with an explicit 93list using option 94.Fl G 95or amended through set-like operations with option 96.Fl s . 97.Pp 98Any of the individual real, effective and saved user and group IDs can be 99overridden separately if desired through the options 100.Fl -ruid , 101.Fl -euid , 102and 103.Fl -svuid 104for users, and 105.Fl -rgid , 106.Fl -egid , 107and 108.Fl -svgid 109for groups respectively. 110.Pp 111The options are: 112.Bl -tag -width indent 113.It Fl -euid Ar user 114Override the effective user. 115As for 116.Fl u , 117.Ar user 118may either be a name or a numerical ID. 119.It Fl -egid Ar group 120Override the effective group. 121As for 122.Fl g , 123.Ar group 124may either be a name or a numerical ID. 125.It Fl G Ar group1,group2,... 126Set or replace the full set of supplementary groups. 127As for 128.Fl g , 129groups can be specified by name or numerical ID. 130Groups must be separated by commas, and spaces around commas are not allowed. 131.It Fl g Ar group 132Set or amend the primary group. 133.Ar group 134may be the name of a group in the group database, else will be interpreted as 135a numerical group ID. 136.It Fl h 137Display usage information and exit. 138.It Fl i 139Uses the current credentials' primary and supplementary groups as the baseline. 140If no other option is present, the target user is assumed to be 141.Dq root . 142Otherwise, 143.Fl u 144or 145.Fl k 146must be specified. 147.It Fl k 148Use the current credentials as the baseline. 149Incompatible with 150.Fl u . 151Implies 152.Fl i . 153.It Fl -ruid Ar user 154Override the real user. 155As for 156.Fl u , 157.Ar user 158may either be a name or a numerical ID. 159.It Fl -rgid Ar group 160Override the real group. 161As for 162.Fl g , 163.Ar group 164may either be a name or a numerical ID. 165.It Fl s Ar groups_mod1,groups_mod2,... 166Incrementally modify the supplementary groups set. 167The argument is a comma-separated list of directives: 168.Bl -tag -width indent -compact 169.It Cm @ 170Reset the set to the empty set. 171When present, must be the first directive. 172.It Cm + Ns Ar group 173Include a group. 174.It Cm - Ns Ar group 175Exclude a group. 176.El 177If 178.Fl G 179is also specified, 180.Fl s 181applies on the list installed by it. 182In this case, the 183.Cm @ 184directive cannot be used 185.Pq this limitation may be lifted in the future . 186.It Fl -svuid Ar user 187Override the saved user. 188As for 189.Fl u , 190.Ar user 191may either be a name or a numerical ID. 192.It Fl -svgid Ar group 193Override the saved group. 194As for 195.Fl g , 196.Ar group 197may either be a name or a numerical ID. 198.It Fl u Ar user 199Specify a target user. 200If 201.Ar user 202is the name of some user in the user database, 203this option establishes his full login credentials, as specified by the user and 204group databases, as the baseline. 205Else, 206.Ar user 207is interpreted as a numerical user ID, and that ID is used to set the target 208user only. 209.El 210.Sh EXAMPLES 211Run a command as another user: 212.Bd -literal -offset indent 213mdo -u alice id 214.Ed 215.Pp 216Run with explicit primary and supplementary groups: 217.Bd -literal -offset indent 218mdo -u 1001 -g wheel -G staff,operator /bin/sh 219.Ed 220.Pp 221Modify only supplementary groups for the current user: 222.Bd -literal -offset indent 223mdo -k -s +wheel,+operator /usr/bin/id 224.Ed 225.Pp 226Emulate the effect of a set-user-ID bit on the process image file, assuming its 227user ID is 228.Dq root : 229.Bd -literal -offset indent 230mdo -k --euid root --svuid root id 231.Ed 232.Sh SEE ALSO 233.Xr su 1 , 234.Xr setcred 2 , 235.Xr mac_do 4 236.Sh HISTORY 237The 238.Nm 239command first appeared in 240.Fx 14.2 . 241.Pp 242Support for specifying or amending groups, group-only transitions and 243fine-grained control of real, effective and saved variants of user and primary 244group first appeared in 245.Fx 15.0 . 246.Sh AUTHORS 247The 248.Nm 249program was originally created by 250.An -nosplit 251.An Baptiste Daroussin Aq Mt bapt@FreeBSD.org . 252It was modified to use the 253.Xr setcred 2 254system call by 255.An Olivier Certner Aq Mt olce@FreeBSD.org , 256who designed the group-related and fine-grained-control-of-target-credentials 257functionalities and supervised 258.An Kushagra Srivastava Aq Mt kushagra1403@gmail.com 259to add them during Google Summer of Code 2025. 260.Sh SECURITY CONSIDERATIONS 261The 262.Nm 263program is geared to role-based scenarios. 264Consequently, it does not ask for any password or request other form of 265authentication before trying to establish new credentials, instead relying 266solely on the requester's credentials for this purpose. 267.Pp 268Specific unprivileged uses may be enabled by using the 269.Xr mac_do 4 270security policy. 271