Re: Generic module for managing access through the mac framework

From: Alexander Leidinger <Alexander_at_Leidinger.net>
Date: Wed, 05 Jun 2024 07:07:26 UTC
Am 2024-06-04 16:47, schrieb Nicolas MASSE:

> Hello,
> 
> At my company, we are working on a generic mac module. Its purpose is 
> to grant some users a set of privileges in order to run their services.
> 
> For example, it can be configured in order to allow the ntp user to set 
> the system clock (PRIV_CLOCK_SETTIME), or allow a process to change its 
> user or groups (PRIV_CRED_SET[UID|GID|GROUPS), restricting them to some 
> allowed values.
> 
> After reading the discussions around the mac_do module, I was wondering 
> if other people could be interested in such a more generic module.
> 
> Even though it doesn't do the exact same thing, it still has a lot in 
> common with mac_do while extending its capabilities.
> 
> So far, it is still a work in progress so we don't have code to share 
> yet. Though I think it'd be interesting to speak about the idea.
> 
> I can explain further how we plan to do this if any of you is 
> interested.

This sounds a bit like the Solaris RBAC/privileges.

   
https://docs.oracle.com/cd/E23824_01/html/821-1456/prbac-1.html#scrolltoc

IMO it would be worth to include, as it allows a more fine grained 
access to privileged stuff without the need to handout full root 
permissions to some applications.

Bye,
Alexander.

-- 
http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netchild@FreeBSD.org  : PGP 0x8F31830F9F2772BF