1.\" Copyright (c) 2002 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris 5.\" Costello at Safeport Network Services and NAI Labs, the Security 6.\" Research Division of Network Associates, Inc. under DARPA/SPAWAR 7.\" contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA CHATS 8.\" research program. 9.\" 10.\" Redistribution and use in source and binary forms, with or without 11.\" modification, are permitted provided that the following conditions 12.\" are met: 13.\" 1. Redistributions of source code must retain the above copyright 14.\" notice, this list of conditions and the following disclaimer. 15.\" 2. Redistributions in binary form must reproduce the above copyright 16.\" notice, this list of conditions and the following disclaimer in the 17.\" documentation and/or other materials provided with the distribution. 18.\" 3. The names of the authors may not be used to endorse or promote 19.\" products derived from this software without specific prior written 20.\" permission. 21.\" 22.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 23.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 26.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32.\" SUCH DAMAGE. 33.\" 34.\" $FreeBSD$ 35.\" 36.Dd October 11, 2002 37.Dt UGIDFW 8 38.Os 39.Sh NAME 40.Nm ugidfw 41.Nd "firewall-like access controls for file system objects" 42.Sh SYNOPSIS 43.Nm 44.Cm list 45.Nm 46.Cm set 47.Ar rulenum 48.Cm subject 49.Op Cm not 50.Op Cm uid Ar uid 51.Op Cm gid Ar gid 52.Cm object 53.Op Cm not 54.Op Cm uid Ar uid 55.Op Cm gid Ar gid 56.Cm mode 57.Ar arswxn 58.Nm 59.Cm remove 60.Ar rulenum 61.Sh DESCRIPTION 62The 63.Nm 64utility provides an 65.Xr ipfw 8 Ns -like 66interface to manage accesses to file system objects by UID and GID, 67supported by the 68.Xr mac_bsdextended 4 69.Xr mac 9 70policy. 71.Pp 72The arguments are as follows: 73.Bl -tag -width indent -offset indent 74.It Cm list 75Produces a list of all the current 76.Nm 77rules in the system. 78.It Xo 79.Cm set Ar rulenum 80.Cm subject 81.Op Cm not 82.Op Cm uid Ar uid 83.Op Cm gid Ar gid 84.Cm object 85.Op Cm not 86.Op Cm uid Ar uid 87.Op Cm gid Ar gid 88.Cm mode 89.Ar arswxn 90.Xc 91Add a new rule or modify an existing rule. 92The arguments are as follows: 93.Bl -tag -width ".Ar rulenum" 94.It Ar rulenum 95Rule number. 96Entries with a lower rule number 97are applied first; 98placing the most frequently-matched rules at the beginning of the list 99(i.e. lower-numbered) 100will yield a slight performance increase. 101.It Xo 102.Cm subject 103.Op Cm not 104.Op Cm uid Ar uid 105.Op Cm gid Ar gid 106.Xc 107Subjects performing an operation must match 108(or, if 109.Cm not 110is specified, must 111.Em not 112match) 113the user and group specified by 114.Ar uid 115and/or 116.Ar gid 117for the rule to be applied. 118.It Xo 119.Cm object 120.Op Cm not 121.Op Cm uid Ar uid 122.Op Cm gid Ar gid 123.Xc 124Objects must be owned by 125(or, if 126.Cm not 127is specified, must 128.Em not 129be owned by) 130the user and/or group specified by 131.Ar uid 132and/or 133.Ar gid 134for the rule to be applied. 135.It Cm mode Ar arswxn 136Similar to 137.Xr chmod 1 , 138each character represents an access mode. 139If the rule applies, 140the specified access permissions are enforced 141for the object. 142When a character is specified in the rule, 143the rule will allow for the operation. 144Conversely, not including it will cause the operation 145to be denied. 146The definitions of each character are as follows: 147.Pp 148.Bl -tag -width ".Cm w" -compact -offset indent 149.It Cm a 150administrative operations 151.It Cm r 152read access 153.It Cm s 154access to file attributes 155.It Cm w 156write access 157.It Cm x 158execute access 159.It Cm n 160none 161.El 162.El 163.It Cm remove Ar rulenum 164Disable and remove the rule with the specified rule number. 165.El 166.Sh SEE ALSO 167.Xr mac_bsdextended 4 , 168.Xr mac 9 169.Sh HISTORY 170The 171.Nm 172utility first appeared in 173.Fx 5.0 . 174.Sh AUTHORS 175This software was contributed to the 176.Fx 177Project by NAI Labs, the Security Research Division of Network Associates 178Inc. under DARPA/SPAWAR contract N66001-01-C-8035 179.Pq Dq CBOSS , 180as part of the DARPA CHATS research program. 181