rc.bsdextended revision 135912
1#!/bin/sh 2# 3# Copyright (c) 2004 Tom Rhodes 4# All rights reserved. 5# 6# Redistribution and use in source and binary forms, with or without 7# modification, are permitted provided that the following conditions 8# are met: 9# 1. Redistributions of source code must retain the above copyright 10# notice, this list of conditions and the following disclaimer. 11# 2. Redistributions in binary form must reproduce the above copyright 12# notice, this list of conditions and the following disclaimer in the 13# documentation and/or other materials provided with the distribution. 14# 15# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25# SUCH DAMAGE. 26# 27# $FreeBSD: head/etc/rc.bsdextended 135912 2004-09-29 00:12:28Z trhodes $ 28# 29 30#### 31# Sample startup policy for the mac_bsdextended(4) security module. 32# 33# Suck in the system configuration variables. 34#### 35if [ -z "${source_rc_confs_defined}" ]; then 36 if [ -r /etc/defaults/rc.conf ]; then 37 . /etc/defaults/rc.conf 38 source_rc_confs 39 elif [ -r /etc/rc.conf ]; then 40 . /etc/rc.conf 41 fi 42fi 43 44#### 45# Set ugidfw(8) to CMD: 46#### 47CMD=/usr/sbin/ugidfw 48 49#### 50# WARNING: recommended reading is the handbook's MAC 51# chapter and the ugidfw(8) 52# manual page. You can lock yourself out of the system 53# very quickly by setting incorrect values here. 54#### 55 56#### 57# Set the value of 'x' to system users. This would be nice but it 58# does not get the \n proper. Work around is used below. 59#x=`awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' /etc/passwd`; 60#l=`awk -F: '($3 >= 1001) && ($3 != 65534) { print $3 }' /etc/passwd`; 61#### 62 63#### 64# Build a generic list of rules here, these should be 65# modified before using this script. 66# ugidfw add 1 subject uid USER1 object uid USER2 mode n 67# ugidfw add 2 subject gid USER1 object gid USER2 mode n 68# 69# For apache to read user files, the ruleadd must give 70# it permissions by default. 71#### 72${CMD} add subject uid 80 object not uid 80 mode rxws; 73${CMD} add subject gid 80 object not gid 80 mode rxws; 74 75#### 76# majordomo compat: 77#${CMD} add subject uid 54 object not uid 54 mode rxws; 78${CMD} add subject gid 26 object gid 54 mode rxws; 79 80#### 81# This is for root: 82${CMD} add subject uid 0 object not uid 0 mode arxws; 83${CMD} add subject gid 0 object not gid 0 mode arxws; 84 85#### 86# And for mailnull: 87${CMD} add subject uid 26 object not uid 26 mode rxws; 88${CMD} add subject gid 26 object not gid 26 mode rxws; 89 90#### 91# And for majordomo: 92${CMD} add subject uid 54 object not uid 54 mode rxws; 93${CMD} add subject gid 54 object not gid 54 mode rxws; 94 95#### 96# And for bin: 97${CMD} add subject uid 3 object not uid 3 mode rxws; 98${CMD} add subject gid 7 object not gid 7 mode rxws; 99 100#### 101# And for mail/pop: 102${CMD} add subject uid 68 object not uid 68 mode rxws; 103${CMD} add subject gid 6 object not gid 6 mode arxws; 104 105#### 106# And for smmsp: 107${CMD} add subject uid 25 object not uid 25 mode rxws; 108${CMD} add subject gid 25 object not gid 25 mode rxws; 109 110#### 111# And for mailnull: 112${CMD} add subject uid 26 object not uid 26 mode rxws; 113${CMD} add subject gid 26 object not gid 26 mode rxws; 114 115#### 116# For cyrus: 117${CMD} add subject uid 60 object not uid 60 mode rxws; 118${CMD} add subject gid 60 object not gid 60 mode rxws; 119 120#### 121# For stunnel: 122${CMD} add subject uid 1018 object not uid 1018 mode rxws; 123${CMD} add subject gid 1018 object not gid 1018 mode rxws; 124 125#### 126# For the nobody account: 127${CMD} add subject uid 65534 object not uid 65534 mode rxws; 128${CMD} add subject gid 65534 object not gid 65534 mode rxws; 129 130#### 131# NOTICE: The next script adds a rule to allow 132# access their mailbox which is owned by GID `6'. 133# Removing this will give mailbox lock issues. 134for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' /etc/passwd`; 135 do ${CMD} add subject uid $x object gid 6 mode arwxs; 136done; 137 138#### 139# Work around majordomo problem where gid is `4'. 140for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' /etc/passwd`; 141 do ${CMD} add subject uid $x object gid 4 mode arwxs; 142done; 143 144#### 145# Use some script to get a list of users and 146# add all users to mode n for all other users. This 147# will isolate all users from other user home directories while 148# permitting them to use commands and browse the system. 149for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' /etc/passwd`; 150 do ${CMD} add subject not uid $x object uid $x mode n; 151done; 152 153### 154# Do the same thing but only for group ids in place of 155# user IDs. 156for x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $3 }' /etc/passwd`; 157 do ${CMD} add subject not gid $x object uid $x mode n; 158done; 159