Re: Generic module for managing access through the mac framework
- In reply to: Nicolas MASSE : "Generic module for managing access through the mac framework"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 05 Jun 2024 07:07:26 UTC
Am 2024-06-04 16:47, schrieb Nicolas MASSE: > Hello, > > At my company, we are working on a generic mac module. Its purpose is > to grant some users a set of privileges in order to run their services. > > For example, it can be configured in order to allow the ntp user to set > the system clock (PRIV_CLOCK_SETTIME), or allow a process to change its > user or groups (PRIV_CRED_SET[UID|GID|GROUPS), restricting them to some > allowed values. > > After reading the discussions around the mac_do module, I was wondering > if other people could be interested in such a more generic module. > > Even though it doesn't do the exact same thing, it still has a lot in > common with mac_do while extending its capabilities. > > So far, it is still a work in progress so we don't have code to share > yet. Though I think it'd be interesting to speak about the idea. > > I can explain further how we plan to do this if any of you is > interested. This sounds a bit like the Solaris RBAC/privileges. https://docs.oracle.com/cd/E23824_01/html/821-1456/prbac-1.html#scrolltoc IMO it would be worth to include, as it allows a more fine grained access to privileged stuff without the need to handout full root permissions to some applications. Bye, Alexander. -- http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF