Policy for a user that can't write any files (apart from in /tmp).

Robert Watson rwatson at FreeBSD.org
Wed Jan 21 09:57:51 PST 2004

On Wed, 21 Jan 2004, Josef Karthauser wrote:

> Is it possible now-a-days with MAC, etc, to set a per user policy such
> that the user doesn't have permissions to write to the file system? 
> I've got a remote user that's logging in to make backup, and it would be
> really cool to prevent them from modifying anything with out futzing
> with file permissions and groups. 

Take a look at mac_bsdextended.  The policy rule language isn't very
mature, but should be able to do pretty much what you're looking for.  Be
aware, however, that what you want is probably not what you're asking for.
For example, regardless of wanting them to write to a file system, you
probably do want them to be able to write to their terminal device,
/dev/null, etc.  If you're interested in looking more at mac_bsdextended
and how to enhance the rule language, I'd be happy to help out.  The goal
was to allow policy rules to be set n a type-enforcement like way, but
without introducing domains and types, which have a high administrative
overhead.  One of the things it reall needs is a notion of user/group set,
so that you can define sets of users and groups affected by rules in a
more administrator-friendly way (not to mention more rule-efficient).
Also, if it had a 'self' identifier, you could more easily express notions
like "Users can only write to things they own".

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert at fledge.watson.org      Senior Research Scientist, McAfee Research

More information about the freebsd-current mailing list