[Bug 290140] mdo(1) and mac_do(4) not working on 15ALPHA5

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 290140] mdo(1) and mac_do(4) not working on 15ALPHA5"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 13 Oct 2025 08:57:57 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=290140

Olivier Certner <olce@FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|regression                  |
             Status|New                         |Closed
           Assignee|bugs@FreeBSD.org            |olce@FreeBSD.org
         Resolution|---                         |Works As Intended

--- Comment #4 from Olivier Certner <olce@FreeBSD.org> ---
Hi,

The "new syntax" (well, we are just talking about the ":" => ">" change) works
as the old (and as you noted, ":" is still accepted).  Effectively, ">" is a
special character to the shell and you have to quote it.  Obviously, this
drawback was considered when changing the separator between the from/to parts
of a rule, but was then deemed a minor inconvenience compared to having a more
readable rule specification (":" is very much associated to path separation in
UNIX, and catches the eye too much IMO, whereas this is not the separator
between rules but just inside rules between parts; and ">" is supposed to evoke
an arrow, helping visualize the authorized transition).  The plan was to
deprecate ":" at some point (that's why it was removed from the documentation;
not before 16 in any case), but if people absolutely prefer ":", we can as well
keep it indefinitely.

The "Operation not permitted" you are observing is perfectly normal (and it is
not a regression).  As explained in the manual page, if you specify a clause
with type "gid" in the "to" part of a rule, then no default are applied for
groups and you get what you asked for.  In your example, only 0 is allowed for
primary groups (real, effective, saved variants) and *no supplementary groups*
are allowed at all.  This is not going to work on regular installations, where
'root' is a member of the 'wheel' and 'operator' supplementary groups.  So what
you want instead if you want to be very-fine grained is:
sysctl security.mac.do.rules='uid=1001>uid=0,gid=0,+gid=0,+gid=5'

-- 
You are receiving this mail because:
You are the assignee for the bug.