xref: /freebsd/usr.sbin/ugidfw/ugidfw.8 (revision fa9896e082a1046ff4fbc75fcba4d18d1f2efc19)

.\" Copyright (c) 2002, 2004 Networks Associates Technology, Inc.
.\" All rights reserved.
.\"
.\" This software was developed for the FreeBSD Project by Chris
.\" Costello at Safeport Network Services and NAI Labs, the Security
.\" Research Division of Network Associates, Inc. under DARPA/SPAWAR
.\" contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA CHATS
.\" research program.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.Dd February 24, 2004
.Dt UGIDFW 8
.Os
.Sh NAME
.Nm ugidfw
.Nd "firewall-like access controls for file system objects"
.Sh SYNOPSIS
.Nm
.Cm add
.Cm subject
.Op Cm not
.Oo
.Op Cm \&!
.Cm uid Ar uid | minuid:maxuid
.Oc
.Oo
.Op Cm \&!
.Cm gid Ar gid | mingid:maxgid
.Oc
.Oo
.Op Cm \&!
.Cm jailid Ad jailid
.Oc
.Cm object
.Op Cm not
.Oo
.Op Cm \&!
.Cm uid Ar uid | minuid:maxuid
.Oc
.Oo
.Op Cm \&!
.Cm gid Ar gid | mingid:maxgid
.Oc
.Oo
.Op Cm \&!
.Cm filesys Ad path
.Oc
.Oo
.Op Cm \&!
.Cm suid
.Oc
.Oo
.Op Cm \&!
.Cm sgid
.Oc
.Oo
.Op Cm \&!
.Cm uid_of_subject
.Oc
.Oo
.Op Cm \&!
.Cm gid_of_subject
.Oc
.Oo
.Op Cm \&!
.Cm type Ar ardbclsp
.Oc
.Cm mode
.Ar arswxn
.Nm
.Cm list
.Nm
.Cm set
.Ar rulenum
.Cm subject
.Op Cm not
.Oo
.Op Cm \&!
.Cm uid Ar uid | minuid:maxuid
.Oc
.Oo
.Op Cm \&!
.Cm gid Ar gid | mingid:maxgid
.Oc
.Oo
.Op Cm \&!
.Cm jailid Ad jailid
.Oc
.Cm object
.Op Cm not
.Oo
.Op Cm \&!
.Cm uid Ar uid | minuid:maxuid
.Oc
.Oo
.Op Cm \&!
.Cm gid Ar gid | mingid:maxgid
.Oc
.Oo
.Op Cm \&!
.Cm filesys Ad path
.Oc
.Oo
.Op Cm \&!
.Cm suid
.Oc
.Oo
.Op Cm \&!
.Cm sgid
.Oc
.Oo
.Op Cm \&!
.Cm uid_of_subject
.Oc
.Oo
.Op Cm \&!
.Cm gid_of_subject
.Oc
.Oo
.Op Cm \&!
.Cm type Ar ardbclsp
.Oc
.Cm mode
.Ar arswxn
.Nm
.Cm remove
.Ar rulenum
.Sh DESCRIPTION
The
.Nm
utility provides an
.Xr ipfw 8 Ns -like
interface to manage access to file system objects by UID and GID,
supported by the
.Xr mac_bsdextended 4
.Xr mac 9
policy.
.Pp
The arguments are as follows:
.Bl -tag -width indent -offset indent
.It Xo
.Cm add
.Cm subject
.Ar ...
.Cm object
.Ar ...
.Cm mode
.Ar arswxn
.Xc
Add a new rule, automatically selecting the rule number.
See the description of
.Cm set
for syntax information.
.It Cm list
Produces a list of all the current
.Nm
rules in the system.
.It Xo
.Cm set Ar rulenum
.Cm subject
.Ar ...
.Cm object
.Ar ...
.Cm mode
.Ar arswxn
.Xc
Add a new rule or modify an existing rule.
The arguments are as follows:
.Bl -tag -width ".Ar rulenum"
.It Ar rulenum
Rule number.
Entries with a lower rule number
are applied first;
placing the most frequently-matched rules at the beginning of the list
(i.e., lower-numbered)
will yield a slight performance increase.
.It Xo
.Cm subject
.Op Cm not
.Oo
.Op Cm \&!
.Cm uid Ar uid | minuid:maxuid
.Oc
.Oo
.Op Cm \&!
.Cm gid Ar gid | mingid:maxgid
.Oc
.Oo
.Op Cm \&!
.Cm jailid Ad jailid
.Oc
.Xc
Subjects performing an operation must match all the conditions given.
A leading
.Cm not
means that the subject should not match the remainder of the specification.
A condition may be prefixed by
.Cm \&!
to indicate that particular condition must not match the subject.
The subject can be required to have a particular
.Ar uid
and/or
.Ar gid .
A range of uids/gids can be specified, separated by a colon.
The subject can be required to be in a particular jail with the
.Ar jailid .
.It Xo
.Cm object
.Op Cm not
.Oo
.Op Cm \&!
.Cm uid Ar uid | minuid:maxuid
.Oc
.Oo
.Op Cm \&!
.Cm gid Ar gid | mingid:maxgid
.Oc
.Oo
.Op Cm \&!
.Cm filesys Ad path
.Oc
.Oo
.Op Cm \&!
.Cm suid
.Oc
.Oo
.Op Cm \&!
.Cm sgid
.Oc
.Oo
.Op Cm \&!
.Cm uid_of_subject
.Oc
.Oo
.Op Cm \&!
.Cm gid_of_subject
.Oc
.Oo
.Op Cm \&!
.Cm type Ar ardbclsp
.Oc
.Xc
The rule will apply only to objects matching all the specified conditions.
A leading
.Cm not
means that the object should not match all the remaining conditions.
A condition may be prefixed by
.Cm \&!
to indicate that particular condition must not match the object.
Objects can be required to be owned by the user and/or group specified by
.Ar uid
and/or
.Ar gid .
A range of uids/gids can be specified, separated by a colon.
The object can be required to be in a particular filesystem by
specifying the filesystem using
.Cm filesys .
Note,
if the filesystem is unmounted and remounted,
then the rule may need to be reapplied to ensure the correct filesystem
id is used.
The object can be required to have the
.Cm suid
or
.Cm sgid
bits set.
The owner of the object can be required to match the
.Cm uid_of_subject
or the
.Cm gid_of_subject
attempting the operation.
The type of the object can be restricted to a subset of
the following types.
.Pp
.Bl -tag -width ".Cm w" -compact -offset indent
.It Cm a
any file type
.It Cm r
a regular file
.It Cm d
a directory
.It Cm b
a block special device
.It Cm c
a character special device
.It Cm l
a symbolic link
.It Cm s
a unix domain socket
.It Cm p
a named pipe (FIFO)
.El
.It Cm mode Ar arswxn
Similar to
.Xr chmod 1 ,
each character represents an access mode.
If the rule applies,
the specified access permissions are enforced
for the object.
When a character is specified in the rule,
the rule will allow for the operation.
Conversely, not including it will cause the operation
to be denied.
The definitions of each character are as follows:
.Pp
.Bl -tag -width ".Cm w" -compact -offset indent
.It Cm a
administrative operations
.It Cm r
read access
.It Cm s
access to file attributes
.It Cm w
write access
.It Cm x
execute access
.It Cm n
none
.El
.El
.It Cm remove Ar rulenum
Disable and remove the rule with the specified rule number.
.El
.Sh SEE ALSO
.Xr mac_bsdextended 4 ,
.Xr mac 9
.Sh HISTORY
The
.Nm
utility first appeared in
.Fx 5.0 .
.Sh AUTHORS
This software was contributed to the
.Fx
Project by NAI Labs, the Security Research Division of Network Associates
Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035
.Pq Dq CBOSS ,
as part of the DARPA CHATS research program.