mdo(1) run as another user without setuid bit

From: Baptiste Daroussin <bapt_at_freebsd.org>
Date: Tue, 14 May 2024 07:17:13 UTC
Hello everyone,

This is an idea that I have been thinking about for a while (actually since
2015) and that I have been trying to implement a couple of days ago.

On server usage of FreeBSD one thing which often happen is we segregate services
with their own users (service_user).

We also give access to the administrators of those services via their own ssh
keys on their own user (foo) account and of course we want to allow "foo" to run
some commands as "service_user" or get "service_user" privileges.

Usually this is done via some sudo or some doas configuration which both
involved first become root via the setuid bit.

In many cases doas or sudo are overkill for this sole purpose. To cover this
need, I thought we could write a very simple tool which will leverage the mac
framework to make sure we could switch credentials without the need of the
setuid root.

Here comes the idea of mac_do(4) policy.

This is a kernel module policy which allows calling setuid and setgroup from a
non root user, according to some policy root and if the request comes from the
/usr/bin/mdo binary.

The policy are set via sysctl(8):

security.mac.do.rules

which contains a list of rules separated with coma, for example:
uid=1001:80,gid=0:1003,uid=1002:*

which can be translated as:
the user which id is 1001 can become uid 80
the users belonging to the group which id is 0 can become any user 1003
the user which id is 1002 can become any user.

This is only intended to allow full access to the target user, this is not
intended to provide fine grain accès like sudo, doas or userv can do.

Here is an implementation of this idea:
https://reviews.freebsd.org/D45145

Best regards,
Bapt