1 .\" Copyright (c) 2002 Networks Associates Technology, Inc.
2 .\" All rights reserved.
4 .\" This software was developed for the FreeBSD Project by Chris Costello
5 .\" at Safeport Network Services and Network Associates Laboratories, the
6 .\" Security Research Division of Network Associates, Inc. under
7 .\" DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
8 .\" DARPA CHATS research program.
10 .\" Redistribution and use in source and binary forms, with or without
11 .\" modification, are permitted provided that the following conditions
13 .\" 1. Redistributions of source code must retain the above copyright
14 .\" notice, this list of conditions and the following disclaimer.
15 .\" 2. Redistributions in binary form must reproduce the above copyright
16 .\" notice, this list of conditions and the following disclaimer in the
17 .\" documentation and/or other materials provided with the distribution.
19 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
20 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
23 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 .Dt MAC_SEEOTHERUIDS 4
38 .Nd "simple policy controlling whether users see other users"
41 policy into your kernel, place the following lines in your kernel
43 .Bd -ragged -offset indent
45 .Cd "options MAC_SEEOTHERUIDS"
48 Alternately, to load the module at boot time, place the following line
49 in your kernel configuration file:
50 .Bd -ragged -offset indent
56 .Bd -literal -offset indent
57 mac_seeotheruids_load="YES"
62 policy module, when enabled, denies users to see processes or sockets owned
68 .Va security.mac.seeotheruids.enabled
70 To permit superuser awareness of other credentials by virtue of privilege,
72 .Va security.mac.seeotheruids.suser_privileged
75 To allow users to see processes and sockets owned by the same primary group,
77 .Va security.mac.seeotheruids.primarygroup_enabled
80 To allow processes with a specific group ID to be exempt from the policy,
82 .Va security.mac.seeotheruids.specificgid_enabled
84 .Va security.mac.seeotheruids.specificgid
85 to the group ID to be exempted.
87 No labels are defined for
92 .Xr mac_bsdextended 4 ,
104 policy module first appeared in
106 and was developed by the
110 This software was contributed to the
112 Project by Network Associates Labs,
113 the Security Research Division of Network Associates
115 under DARPA/SPAWAR contract N66001-01-C-8035
117 as part of the DARPA CHATS research program.
121 concerning appropriateness for production use.
124 MAC Framework is considered experimental in
127 While the MAC Framework design is intended to support the containment of
128 the root user, not all attack channels are currently protected by entry
130 As such, MAC Framework policies should not be relied on, in isolation,
131 to protect against a malicious privileged user.