handbook/security: document mdo(1) for privilege escalation

kovan · kovan · commit 88ce3bca2351 · 2026-03-27T02:59:33.000+01:00
Add a new section covering mdo(1), the built-in FreeBSD utility for
executing commands as a different user via the mac_do(4) MAC module.

PR: 293535
Signed-off-by: Kit Dallege &lt;xaum.io@gmail.com&gt;
diff --git a/documentation/content/en/books/handbook/security/_index.adoc b/documentation/content/en/books/handbook/security/_index.adoc
@@ -4,7 +4,7 @@ part: Part III. System Administration
 prev: books/handbook/boot
 next: books/handbook/jails
 description: Hundreds of standard practices have been authored about how to secure systems and networks, and as a user of FreeBSD, understanding how to protect against attacks and intruders is a must
-tags: ["security", "TCP Wrappers", "Kerberos", "OpenSSL", "OpenSSH", "ACL", "NFSv4 ACLs", "advisories", "sudo", "doas", "capsicum", "monitoring"]
+tags: ["security", "TCP Wrappers", "Kerberos", "OpenSSL", "OpenSSH", "ACL", "NFSv4 ACLs", "advisories", "sudo", "doas", "mdo", "capsicum", "monitoring"]
 showBookMenu: true
 weight: 20
 params:
@@ -410,6 +410,61 @@ $ doas vi /etc/rc.conf
 
 For more configuration examples, please read man:doas.conf[5].
 
+[[security-mdo]]
+=== Shared Administration with mdo
+
+man:mdo[1] is a built-in FreeBSD utility for executing commands as a different user.
+Unlike man:sudo[8] and man:doas[1], mdo requires no additional package installation.
+It uses the man:mac_do[4] kernel module, which is part of the FreeBSD Mandatory Access Control (MAC) framework.
+
+To use mdo, first load the man:mac_do[4] kernel module:
+
+[source,shell]
+....
+# kldload mac_do
+....
+
+To load the module at boot, add it to [.filename]#/etc/rc.conf#:
+
+[source,shell]
+....
+kld_list="${kld_list} mac_do"
+....
+
+Rules are configured via man:sysctl[8].
+Add the following to [.filename]#/etc/sysctl.conf# to enable mdo and define transition rules:
+
+[.programlisting]
+....
+security.mac.do.enabled=1
+security.mac.do.rules=gid=0>uid=0
+....
+
+The rule `gid=0>uid=0` allows members of the `wheel` group (GID 0) to execute commands as `root` (UID 0).
+Multiple rules are separated by semicolons.
+For example, to also allow user with UID 1000 to run commands as the `www` user:
+
+[.programlisting]
+....
+security.mac.do.rules=gid=0>uid=0;uid=1000>uid=80,gid=80
+....
+
+After configuration, commands can be executed with elevated privileges:
+
+[source,shell]
+....
+$ mdo vi /etc/rc.conf
+....
+
+To start an interactive root shell:
+
+[source,shell]
+....
+$ mdo -i
+....
+
+For more information, see man:mdo[1] and man:mac_do[4].
+
 [[security-ids]]
 == Intrusion Detection System (IDS)
 
