rc.bsdextended revision 135912
133965Sjdp#!/bin/sh 260484Sobrien# 333965Sjdp# Copyright (c) 2004 Tom Rhodes 433965Sjdp# All rights reserved. 533965Sjdp# 633965Sjdp# Redistribution and use in source and binary forms, with or without 733965Sjdp# modification, are permitted provided that the following conditions 833965Sjdp# are met: 933965Sjdp# 1. Redistributions of source code must retain the above copyright 1033965Sjdp# notice, this list of conditions and the following disclaimer. 1133965Sjdp# 2. Redistributions in binary form must reproduce the above copyright 1233965Sjdp# notice, this list of conditions and the following disclaimer in the 1333965Sjdp# documentation and/or other materials provided with the distribution. 1433965Sjdp# 1533965Sjdp# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 1633965Sjdp# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17218822Sdim# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 1833965Sjdp# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 1933965Sjdp# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 2033965Sjdp# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 2133965Sjdp# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 2233965Sjdp# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 2333965Sjdp# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 2433965Sjdp# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 2589857Sobrien# SUCH DAMAGE. 2689857Sobrien# 2789857Sobrien# $FreeBSD: head/etc/rc.bsdextended 135912 2004-09-29 00:12:28Z trhodes $ 2889857Sobrien# 2989857Sobrien 3089857Sobrien#### 3189857Sobrien# Sample startup policy for the mac_bsdextended(4) security module. 3289857Sobrien# 3389857Sobrien# Suck in the system configuration variables. 3489857Sobrien#### 3589857Sobrienif [ -z "${source_rc_confs_defined}" ]; then 3689857Sobrien if [ -r /etc/defaults/rc.conf ]; then 3760484Sobrien . /etc/defaults/rc.conf 3860484Sobrien source_rc_confs 3933965Sjdp elif [ -r /etc/rc.conf ]; then 4033965Sjdp . /etc/rc.conf 4133965Sjdp fi 4233965Sjdpfi 4333965Sjdp 4433965Sjdp#### 4560484Sobrien# Set ugidfw(8) to CMD: 4633965Sjdp#### 4733965SjdpCMD=/usr/sbin/ugidfw 4833965Sjdp 4933965Sjdp#### 5033965Sjdp# WARNING: recommended reading is the handbook's MAC 5160484Sobrien# chapter and the ugidfw(8) 5260484Sobrien# manual page. You can lock yourself out of the system 5360484Sobrien# very quickly by setting incorrect values here. 5460484Sobrien#### 5560484Sobrien 5660484Sobrien#### 5760484Sobrien# Set the value of 'x' to system users. This would be nice but it 5860484Sobrien# does not get the \n proper. Work around is used below. 5960484Sobrien#x=`awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' /etc/passwd`; 6060484Sobrien#l=`awk -F: '($3 >= 1001) && ($3 != 65534) { print $3 }' /etc/passwd`; 6160484Sobrien#### 6260484Sobrien 6360484Sobrien#### 6460484Sobrien# Build a generic list of rules here, these should be 6560484Sobrien# modified before using this script. 6660484Sobrien# ugidfw add 1 subject uid USER1 object uid USER2 mode n 6733965Sjdp# ugidfw add 2 subject gid USER1 object gid USER2 mode n 6833965Sjdp# 6933965Sjdp# For apache to read user files, the ruleadd must give 70218822Sdim# it permissions by default. 7133965Sjdp#### 7233965Sjdp${CMD} add subject uid 80 object not uid 80 mode rxws; 7333965Sjdp${CMD} add subject gid 80 object not gid 80 mode rxws; 7433965Sjdp 7533965Sjdp#### 7633965Sjdp# majordomo compat: 7733965Sjdp#${CMD} add subject uid 54 object not uid 54 mode rxws; 7833965Sjdp${CMD} add subject gid 26 object gid 54 mode rxws; 7933965Sjdp 8033965Sjdp#### 8133965Sjdp# This is for root: 8233965Sjdp${CMD} add subject uid 0 object not uid 0 mode arxws; 8360484Sobrien${CMD} add subject gid 0 object not gid 0 mode arxws; 8433965Sjdp 8533965Sjdp#### 8633965Sjdp# And for mailnull: 8733965Sjdp${CMD} add subject uid 26 object not uid 26 mode rxws; 8833965Sjdp${CMD} add subject gid 26 object not gid 26 mode rxws; 8933965Sjdp 9033965Sjdp#### 9133965Sjdp# And for majordomo: 9233965Sjdp${CMD} add subject uid 54 object not uid 54 mode rxws; 9333965Sjdp${CMD} add subject gid 54 object not gid 54 mode rxws; 9433965Sjdp 9533965Sjdp#### 9633965Sjdp# And for bin: 9733965Sjdp${CMD} add subject uid 3 object not uid 3 mode rxws; 9833965Sjdp${CMD} add subject gid 7 object not gid 7 mode rxws; 9933965Sjdp 10033965Sjdp#### 10133965Sjdp# And for mail/pop: 10233965Sjdp${CMD} add subject uid 68 object not uid 68 mode rxws; 10333965Sjdp${CMD} add subject gid 6 object not gid 6 mode arxws; 104 105#### 106# And for smmsp: 107${CMD} add subject uid 25 object not uid 25 mode rxws; 108${CMD} add subject gid 25 object not gid 25 mode rxws; 109 110#### 111# And for mailnull: 112${CMD} add subject uid 26 object not uid 26 mode rxws; 113${CMD} add subject gid 26 object not gid 26 mode rxws; 114 115#### 116# For cyrus: 117${CMD} add subject uid 60 object not uid 60 mode rxws; 118${CMD} add subject gid 60 object not gid 60 mode rxws; 119 120#### 121# For stunnel: 122${CMD} add subject uid 1018 object not uid 1018 mode rxws; 123${CMD} add subject gid 1018 object not gid 1018 mode rxws; 124 125#### 126# For the nobody account: 127${CMD} add subject uid 65534 object not uid 65534 mode rxws; 128${CMD} add subject gid 65534 object not gid 65534 mode rxws; 129 130#### 131# NOTICE: The next script adds a rule to allow 132# access their mailbox which is owned by GID `6'. 133# Removing this will give mailbox lock issues. 134for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' /etc/passwd`; 135 do ${CMD} add subject uid $x object gid 6 mode arwxs; 136done; 137 138#### 139# Work around majordomo problem where gid is `4'. 140for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' /etc/passwd`; 141 do ${CMD} add subject uid $x object gid 4 mode arwxs; 142done; 143 144#### 145# Use some script to get a list of users and 146# add all users to mode n for all other users. This 147# will isolate all users from other user home directories while 148# permitting them to use commands and browse the system. 149for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' /etc/passwd`; 150 do ${CMD} add subject not uid $x object uid $x mode n; 151done; 152 153### 154# Do the same thing but only for group ids in place of 155# user IDs. 156for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $3 }' /etc/passwd`; 157 do ${CMD} add subject not gid $x object uid $x mode n; 158done; 159