1.\" Copyright (c) 2002, 2004 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris 5.\" Costello at Safeport Network Services and NAI Labs, the Security 6.\" Research Division of Network Associates, Inc. under DARPA/SPAWAR 7.\" contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA CHATS 8.\" research program. 9.\" 10.\" Redistribution and use in source and binary forms, with or without 11.\" modification, are permitted provided that the following conditions 12.\" are met: 13.\" 1. Redistributions of source code must retain the above copyright 14.\" notice, this list of conditions and the following disclaimer. 15.\" 2. Redistributions in binary form must reproduce the above copyright 16.\" notice, this list of conditions and the following disclaimer in the 17.\" documentation and/or other materials provided with the distribution. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" 31.\" $FreeBSD$ 32.\" 33.Dd February 24, 2004 34.Dt UGIDFW 8 35.Os 36.Sh NAME 37.Nm ugidfw 38.Nd "firewall-like access controls for file system objects" 39.Sh SYNOPSIS 40.Nm 41.Cm add 42.Cm subject 43.Op Cm not 44.Op Cm uid Ar uid 45.Op Cm gid Ar gid 46.Cm object 47.Op Cm not 48.Op Cm uid Ar uid 49.Op Cm gid Ar gid 50.Cm mode 51.Ar arswxn 52.Nm 53.Cm list 54.Nm 55.Cm set 56.Ar rulenum 57.Cm subject 58.Op Cm not 59.Op Cm uid Ar uid 60.Op Cm gid Ar gid 61.Cm object 62.Op Cm not 63.Op Cm uid Ar uid 64.Op Cm gid Ar gid 65.Cm mode 66.Ar arswxn 67.Nm 68.Cm remove 69.Ar rulenum 70.Sh DESCRIPTION 71The 72.Nm 73utility provides an 74.Xr ipfw 8 Ns -like 75interface to manage accesses to file system objects by UID and GID, 76supported by the 77.Xr mac_bsdextended 4 78.Xr mac 9 79policy. 80.Pp 81The arguments are as follows: 82.Bl -tag -width indent -offset indent 83.It Cm add 84Add a new 85.Nm 86rule. 87.It Xo 88.Cm add 89.Cm subject 90.Op Cm not 91.Op Cm uid Ar uid 92.Op Cm gid Ar gid 93.Cm object 94.Op Cm not 95.Op Cm uid Ar uid 96.Op Cm gid Ar gid 97.Cm mode 98.Ar arswxn 99.Xc 100Add a new rule, automatically selecting the rule number. 101See the description of 102.Cm set 103for syntax information. 104.It Cm list 105Produces a list of all the current 106.Nm 107rules in the system. 108.It Xo 109.Cm set Ar rulenum 110.Cm subject 111.Op Cm not 112.Op Cm uid Ar uid 113.Op Cm gid Ar gid 114.Cm object 115.Op Cm not 116.Op Cm uid Ar uid 117.Op Cm gid Ar gid 118.Cm mode 119.Ar arswxn 120.Xc 121Add a new rule or modify an existing rule. 122The arguments are as follows: 123.Bl -tag -width ".Ar rulenum" 124.It Ar rulenum 125Rule number. 126Entries with a lower rule number 127are applied first; 128placing the most frequently-matched rules at the beginning of the list 129(i.e., lower-numbered) 130will yield a slight performance increase. 131.It Xo 132.Cm subject 133.Op Cm not 134.Op Cm uid Ar uid 135.Op Cm gid Ar gid 136.Xc 137Subjects performing an operation must match 138(or, if 139.Cm not 140is specified, must 141.Em not 142match) 143the user and group specified by 144.Ar uid 145and/or 146.Ar gid 147for the rule to be applied. 148.It Xo 149.Cm object 150.Op Cm not 151.Op Cm uid Ar uid 152.Op Cm gid Ar gid 153.Xc 154Objects must be owned by 155(or, if 156.Cm not 157is specified, must 158.Em not 159be owned by) 160the user and/or group specified by 161.Ar uid 162and/or 163.Ar gid 164for the rule to be applied. 165.It Cm mode Ar arswxn 166Similar to 167.Xr chmod 1 , 168each character represents an access mode. 169If the rule applies, 170the specified access permissions are enforced 171for the object. 172When a character is specified in the rule, 173the rule will allow for the operation. 174Conversely, not including it will cause the operation 175to be denied. 176The definitions of each character are as follows: 177.Pp 178.Bl -tag -width ".Cm w" -compact -offset indent 179.It Cm a 180administrative operations 181.It Cm r 182read access 183.It Cm s 184access to file attributes 185.It Cm w 186write access 187.It Cm x 188execute access 189.It Cm n 190none 191.El 192.El 193.It Cm remove Ar rulenum 194Disable and remove the rule with the specified rule number. 195.El 196.Sh SEE ALSO 197.Xr mac_bsdextended 4 , 198.Xr mac 9 199.Sh HISTORY 200The 201.Nm 202utility first appeared in 203.Fx 5.0 . 204.Sh AUTHORS 205This software was contributed to the 206.Fx 207Project by NAI Labs, the Security Research Division of Network Associates 208Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 209.Pq Dq CBOSS , 210as part of the DARPA CHATS research program. 211