1.\" Copyright (c) 2002 Networks Associates Technology, Inc. 2.\" All rights reserved. 3.\" 4.\" This software was developed for the FreeBSD Project by Chris 5.\" Costello at Safeport Network Services and NAI Labs, the Security 6.\" Research Division of Network Associates, Inc. under DARPA/SPAWAR 7.\" contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA CHATS 8.\" research program. 9.\" 10.\" Redistribution and use in source and binary forms, with or without 11.\" modification, are permitted provided that the following conditions 12.\" are met: 13.\" 1. Redistributions of source code must retain the above copyright 14.\" notice, this list of conditions and the following disclaimer. 15.\" 2. Redistributions in binary form must reproduce the above copyright 16.\" notice, this list of conditions and the following disclaimer in the 17.\" documentation and/or other materials provided with the distribution. 18.\" 3. The names of the authors may not be used to endorse or promote 19.\" products derived from this software without specific prior written 20.\" permission. 21.\" 22.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND 23.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE 26.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32.\" SUCH DAMAGE. 33.\" 34.\" $FreeBSD$ 35.Dd OCTOBER 11, 2002 36.Os 37.Dt UGIDFW 8 38.Sh NAME 39.Nm ugidfw 40.Nd firewall-like access controls for file system objects 41.Sh SYNOPSIS 42.Nm 43.Cm list 44.Nm 45.Cm set 46.Ar rulenum 47.Cm subject 48.Op Cm not 49.Op uid Ar uid 50.Op gid Ar gid 51.Cm object 52.Op Cm not 53.Op Cm uid Ar uid 54.Op Cm gid Ar gid 55.Cm mode 56.Ar arswxn 57.Nm 58.Cm remove 59.Ar rulenum 60.Sh DESCRIPTION 61The 62.Nm 63command provides an 64.Xr ipfw 8 Ns -like 65interface to manage accesses to file system objects by UID and GID, 66supported by the 67.Nm mac_bsdextended 68.Xr mac 9 69policy. 70.Pp 71The arguments are as follows: 72.Bl -tag -width 6n -offset indent 73.It Cm list 74Produces a list of all the current 75.Nm 76rules in the system. 77.It Xo 78.Cm set Ar rulenum 79.Cm subject 80.Op Cm not 81.Op uid Ar uid 82.Op gid Ar gid 83.Cm object 84.Op Cm not 85.Op Cm uid Ar uid 86.Op Cm gid Ar gid 87.Cm mode 88.Ar arswxn 89.Xc 90Add a new rule or modify an existing rule. 91The arguments are as follows: 92.Bl -tag -width 7n 93.It Ar rulenum 94Rule number. 95Entries with a lower rule number 96are applied first; 97placing the most frequently-matched rules at the beginning of the list 98(i.e. lower-numbered) 99will yield a slight performance increase. 100.It Xo 101.Cm subject 102.Op Cm not 103.Op Cm uid Ar uid 104.Op Cm gid Ar gid 105.Xc 106Subjects performing an operation must match 107(or, if 108.Dq not 109is specified, must 110.Em not 111match) 112the user and group specified by 113.Ar uid 114and/or 115.Ar gid 116for the rule to be applied. 117.It Xo 118.Cm object 119.Op Cm not 120.Op Cm uid Ar uid 121.Op Cm gid Ar gid 122.Xc 123Objects must be owned by 124(or, if 125.Dq not 126is specified, must 127.Em not 128be owned by) 129the user and/or group specified by 130.Ar uid 131and/or 132.Ar gid 133for the rule to be applied. 134.It Cm mode Ar arswxn 135Similar to 136.Xr chmod 1 , 137each character represents an access mode. 138If the rule applies, 139the specified access permissions are enforced 140for the object. 141When a character is specified in the rule, 142the rule will allow for the operation. 143Conversely, not including it will cause the operation 144to be denied. 145The definitions of each character are as follows: 146.Bl -tag -width 3n -compact -offset indent 147.It Sq a 148Administrative operations 149.It Sq r 150Read access 151.It Sq s 152Access to file attributes 153.It Sq w 154Write access 155.It Sq x 156Execute access 157.It Sq n 158None 159.El 160.El 161.It Cd remove Ar rulenum 162Disable and remove the rule with the specified rule number. 163.El 164.Sh SEE ALSO 165.Xr mac 9 166.Sh HISTORY 167The 168.Nm 169command first appeared in 170.Fx 5.0 . 171.Sh AUTHORS 172This software was contributed to the 173.Fx 174Project by NAI Labs, the Security Research Division of Network Associates 175Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), 176as part of the DARPA CHATS research program. 177