1279377Simp#!/bin/sh 2279377Simp# 3279377Simp# Copyright (c) 2004 Tom Rhodes 4279377Simp# All rights reserved. 5279377Simp# 6279377Simp# Redistribution and use in source and binary forms, with or without 7279377Simp# modification, are permitted provided that the following conditions 8279377Simp# are met: 9279377Simp# 1. Redistributions of source code must retain the above copyright 10279377Simp# notice, this list of conditions and the following disclaimer. 11279377Simp# 2. Redistributions in binary form must reproduce the above copyright 12279377Simp# notice, this list of conditions and the following disclaimer in the 13279377Simp# documentation and/or other materials provided with the distribution. 14279377Simp# 15279377Simp# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16279377Simp# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17279377Simp# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18279377Simp# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19279377Simp# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20279377Simp# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21279377Simp# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22279377Simp# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23279377Simp# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24279377Simp# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25279377Simp# SUCH DAMAGE. 26279377Simp# 27279377Simp# $FreeBSD: releng/10.3/etc/rc.bsdextended 157957 2006-04-22 11:02:44Z trhodes $ 28279377Simp# 29279377Simp 30279377Simp#### 31279377Simp# Sample startup policy for the mac_bsdextended(4) security module. 32279377Simp# 33279377Simp# Suck in the system configuration variables. 34279377Simp#### 35279377Simpif [ -z "${source_rc_confs_defined}" ]; then 36279377Simp if [ -r /etc/defaults/rc.conf ]; then 37279377Simp . /etc/defaults/rc.conf 38279377Simp source_rc_confs 39279377Simp elif [ -r /etc/rc.conf ]; then 40279377Simp . /etc/rc.conf 41279377Simp fi 42279377Simpfi 43279377Simp 44279377Simp#### 45279377Simp# Set ugidfw(8) to CMD: 46279377Simp#### 47279377SimpCMD=/usr/sbin/ugidfw 48279377Simp 49279377Simp#### 50279377Simp# WARNING: recommended reading is the handbook's MAC 51279377Simp# chapter and the ugidfw(8) manual page. You can 52279377Simp# lock yourself out of the system very quickly by setting 53279377Simp# incorrect values here. These are only examples. 54279377Simp#### 55279377Simp 56279377Simp#### 57279377Simp# Build a generic list of rules here, these should be 58279377Simp# modified before using this script. 59279377Simp# 60279377Simp# For apache to read user files, the ruleadd must give 61279377Simp# it permissions by default. 62279377Simp#### 63279377Simp#${CMD} add subject uid 80 object not uid 80 mode rxws; 64279377Simp#${CMD} add subject gid 80 object not gid 80 mode rxws; 65279377Simp 66279377Simp#### 67279377Simp# majordomo compat: 68279377Simp#${CMD} add subject uid 54 object not uid 54 mode rxws; 69279377Simp#${CMD} add subject gid 26 object gid 54 mode rxws; 70279377Simp 71279377Simp#### 72279377Simp# This is for root: 73279377Simp${CMD} add subject uid 0 object not uid 0 mode arxws; 74279377Simp${CMD} add subject gid 0 object not gid 0 mode arxws; 75279377Simp 76279377Simp#### 77279377Simp# And for majordomo: 78279377Simp#${CMD} add subject uid 54 object not uid 54 mode rxws; 79279377Simp#${CMD} add subject gid 54 object not gid 54 mode rxws; 80279377Simp 81279377Simp#### 82279377Simp# And for bin: 83279377Simp${CMD} add subject uid 3 object not uid 3 mode rxws; 84279377Simp${CMD} add subject gid 7 object not gid 7 mode rxws; 85279377Simp 86279377Simp#### 87279377Simp# And for mail/pop: 88279377Simp#${CMD} add subject uid 68 object not uid 68 mode rxws; 89279377Simp#${CMD} add subject gid 6 object not gid 6 mode arxws; 90279377Simp 91279377Simp#### 92279377Simp# And for smmsp: 93279377Simp${CMD} add subject uid 25 object not uid 25 mode rxws; 94279377Simp${CMD} add subject gid 25 object not gid 25 mode rxws; 95279377Simp 96279377Simp#### 97279377Simp# And for mailnull: 98279377Simp${CMD} add subject uid 26 object not uid 26 mode rxws; 99279377Simp${CMD} add subject gid 26 object not gid 26 mode rxws; 100279377Simp 101279377Simp#### 102279377Simp# For cyrus: 103279377Simp#${CMD} add subject uid 60 object not uid 60 mode rxws; 104279377Simp#${CMD} add subject gid 60 object not gid 60 mode rxws; 105279377Simp 106279377Simp#### 107279377Simp# For stunnel: 108279377Simp#${CMD} add subject uid 1018 object not uid 1018 mode rxws; 109279377Simp#${CMD} add subject gid 1018 object not gid 1018 mode rxws; 110279377Simp 111279377Simp#### 112279377Simp# For the nobody account: 113279377Simp${CMD} add subject uid 65534 object not uid 65534 mode rxws; 114279377Simp${CMD} add subject gid 65534 object not gid 65534 mode rxws; 115279377Simp 116279377Simp#### 117279377Simp# NOTICE: The next script adds a rule to allow 118279377Simp# access their mailbox which is owned by GID `6'. 119279377Simp# Removing this will give mailbox lock issues. 120279377Simpfor x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' /etc/passwd`; 121279377Simp do ${CMD} add subject uid $x object gid 6 mode arwxs; 122279377Simpdone; 123279377Simp 124279377Simp#### 125279377Simp# Use some script to get a list of users and 126279377Simp# add all users to mode n for all other users. This 127279377Simp# will isolate all users from other user home directories while 128279377Simp# permitting them to use commands and browse the system. 129279377Simpfor x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $1 }' /etc/passwd`; 130279377Simp do ${CMD} add subject not uid $x object uid $x mode n; 131279377Simpdone; 132279377Simp 133279377Simp### 134279377Simp# Do the same thing but only for group ids in place of 135279377Simp# user IDs. 136279377Simpfor x in `awk -F: '($3 >= 1001) && ($3 != 65534) { print $3 }' /etc/passwd`; 137279377Simp do ${CMD} add subject not gid $x object uid $x mode n; 138279377Simpdone; 139279377Simp