1135912Strhodes#!/bin/sh 2135912Strhodes# 3135912Strhodes# Copyright (c) 2004 Tom Rhodes 4135912Strhodes# All rights reserved. 5135912Strhodes# 6135912Strhodes# Redistribution and use in source and binary forms, with or without 7135912Strhodes# modification, are permitted provided that the following conditions 8135912Strhodes# are met: 9135912Strhodes# 1. Redistributions of source code must retain the above copyright 10135912Strhodes# notice, this list of conditions and the following disclaimer. 11135912Strhodes# 2. Redistributions in binary form must reproduce the above copyright 12135912Strhodes# notice, this list of conditions and the following disclaimer in the 13135912Strhodes# documentation and/or other materials provided with the distribution. 14135912Strhodes# 15135912Strhodes# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16135912Strhodes# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17135912Strhodes# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18135912Strhodes# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19135912Strhodes# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20135912Strhodes# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21135912Strhodes# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22135912Strhodes# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23135912Strhodes# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24135912Strhodes# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25135912Strhodes# SUCH DAMAGE. 26135912Strhodes# 27135912Strhodes# $FreeBSD$ 28135912Strhodes# 29135912Strhodes 30135912Strhodes#### 31135912Strhodes# Sample startup policy for the mac_bsdextended(4) security module. 32135912Strhodes# 33135912Strhodes# Suck in the system configuration variables. 34135912Strhodes#### 35135912Strhodesif [ -z "${source_rc_confs_defined}" ]; then 36135912Strhodes if [ -r /etc/defaults/rc.conf ]; then 37135912Strhodes . /etc/defaults/rc.conf 38135912Strhodes source_rc_confs 39135912Strhodes elif [ -r /etc/rc.conf ]; then 40135912Strhodes . /etc/rc.conf 41135912Strhodes fi 42135912Strhodesfi 43135912Strhodes 44135912Strhodes#### 45135912Strhodes# Set ugidfw(8) to CMD: 46135912Strhodes#### 47135912StrhodesCMD=/usr/sbin/ugidfw 48135912Strhodes 49135912Strhodes#### 50135912Strhodes# WARNING: recommended reading is the handbook's MAC 51157957Strhodes# chapter and the ugidfw(8) manual page. You can 52157957Strhodes# lock yourself out of the system very quickly by setting 53157957Strhodes# incorrect values here. These are only examples. 54135912Strhodes#### 55135912Strhodes 56135912Strhodes#### 57135912Strhodes# Build a generic list of rules here, these should be 58135912Strhodes# modified before using this script. 59135912Strhodes# 60135912Strhodes# For apache to read user files, the ruleadd must give 61135912Strhodes# it permissions by default. 62135912Strhodes#### 63157957Strhodes#${CMD} add subject uid 80 object not uid 80 mode rxws; 64157957Strhodes#${CMD} add subject gid 80 object not gid 80 mode rxws; 65135912Strhodes 66135912Strhodes#### 67135912Strhodes# majordomo compat: 68135912Strhodes#${CMD} add subject uid 54 object not uid 54 mode rxws; 69157957Strhodes#${CMD} add subject gid 26 object gid 54 mode rxws; 70135912Strhodes 71135912Strhodes#### 72135912Strhodes# This is for root: 73135912Strhodes${CMD} add subject uid 0 object not uid 0 mode arxws; 74135912Strhodes${CMD} add subject gid 0 object not gid 0 mode arxws; 75135912Strhodes 76135912Strhodes#### 77135912Strhodes# And for majordomo: 78157957Strhodes#${CMD} add subject uid 54 object not uid 54 mode rxws; 79157957Strhodes#${CMD} add subject gid 54 object not gid 54 mode rxws; 80135912Strhodes 81135912Strhodes#### 82135912Strhodes# And for bin: 83135912Strhodes${CMD} add subject uid 3 object not uid 3 mode rxws; 84135912Strhodes${CMD} add subject gid 7 object not gid 7 mode rxws; 85135912Strhodes 86135912Strhodes#### 87135912Strhodes# And for mail/pop: 88157957Strhodes#${CMD} add subject uid 68 object not uid 68 mode rxws; 89157957Strhodes#${CMD} add subject gid 6 object not gid 6 mode arxws; 90135912Strhodes 91135912Strhodes#### 92135912Strhodes# And for smmsp: 93135912Strhodes${CMD} add subject uid 25 object not uid 25 mode rxws; 94135912Strhodes${CMD} add subject gid 25 object not gid 25 mode rxws; 95135912Strhodes 96135912Strhodes#### 97135912Strhodes# And for mailnull: 98135912Strhodes${CMD} add subject uid 26 object not uid 26 mode rxws; 99135912Strhodes${CMD} add subject gid 26 object not gid 26 mode rxws; 100135912Strhodes 101135912Strhodes#### 102135912Strhodes# For cyrus: 103157957Strhodes#${CMD} add subject uid 60 object not uid 60 mode rxws; 104157957Strhodes#${CMD} add subject gid 60 object not gid 60 mode rxws; 105135912Strhodes 106135912Strhodes#### 107135912Strhodes# For stunnel: 108157957Strhodes#${CMD} add subject uid 1018 object not uid 1018 mode rxws; 109157957Strhodes#${CMD} add subject gid 1018 object not gid 1018 mode rxws; 110135912Strhodes 111135912Strhodes#### 112135912Strhodes# For the nobody account: 113135912Strhodes${CMD} add subject uid 65534 object not uid 65534 mode rxws; 114135912Strhodes${CMD} add subject gid 65534 object not gid 65534 mode rxws; 115135912Strhodes 116135912Strhodes#### 117135912Strhodes# NOTICE: The next script adds a rule to allow 118135912Strhodes# access their mailbox which is owned by GID `6'. 119135912Strhodes# Removing this will give mailbox lock issues. 120135912Strhodesfor x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' /etc/passwd`; 121135912Strhodes do ${CMD} add subject uid $x object gid 6 mode arwxs; 122135912Strhodesdone; 123135912Strhodes 124135912Strhodes#### 125135912Strhodes# Use some script to get a list of users and 126135912Strhodes# add all users to mode n for all other users. This 127135912Strhodes# will isolate all users from other user home directories while 128135912Strhodes# permitting them to use commands and browse the system. 129135912Strhodesfor x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' /etc/passwd`; 130135912Strhodes do ${CMD} add subject not uid $x object uid $x mode n; 131135912Strhodesdone; 132135912Strhodes 133135912Strhodes### 134135912Strhodes# Do the same thing but only for group ids in place of 135135912Strhodes# user IDs. 136135912Strhodesfor x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $3 }' /etc/passwd`; 137135912Strhodes do ${CMD} add subject not gid $x object uid $x mode n; 138135912Strhodesdone; 139