diff --git a/documentation/content/en/books/handbook/security/_index.adoc b/documentation/content/en/books/handbook/security/_index.adoc index f2dc051b6ae..f976f87dd65 100644 --- a/documentation/content/en/books/handbook/security/_index.adoc +++ b/documentation/content/en/books/handbook/security/_index.adoc @@ -4,7 +4,7 @@ part: Part III. System Administration prev: books/handbook/boot next: books/handbook/jails description: Hundreds of standard practices have been authored about how to secure systems and networks, and as a user of FreeBSD, understanding how to protect against attacks and intruders is a must -tags: ["security", "TCP Wrappers", "Kerberos", "OpenSSL", "OpenSSH", "ACL", "NFSv4 ACLs", "advisories", "sudo", "doas", "capsicum", "monitoring"] +tags: ["security", "TCP Wrappers", "Kerberos", "OpenSSL", "OpenSSH", "ACL", "NFSv4 ACLs", "advisories", "sudo", "doas", "mdo", "capsicum", "monitoring"] showBookMenu: true weight: 20 params: @@ -410,6 +410,61 @@ $ doas vi /etc/rc.conf For more configuration examples, please read man:doas.conf[5]. +[[security-mdo]] +=== Shared Administration with mdo + +man:mdo[1] is a built-in FreeBSD utility for executing commands as a different user. +Unlike man:sudo[8] and man:doas[1], mdo requires no additional package installation. +It uses the man:mac_do[4] kernel module, which is part of the FreeBSD Mandatory Access Control (MAC) framework. + +To use mdo, first load the man:mac_do[4] kernel module: + +[source,shell] +.... +# kldload mac_do +.... + +To load the module at boot, add it to [.filename]#/etc/rc.conf#: + +[source,shell] +.... +kld_list="${kld_list} mac_do" +.... + +Rules are configured via man:sysctl[8]. +Add the following to [.filename]#/etc/sysctl.conf# to enable mdo and define transition rules: + +[.programlisting] +.... +security.mac.do.enabled=1 +security.mac.do.rules=gid=0>uid=0 +.... + +The rule `gid=0>uid=0` allows members of the `wheel` group (GID 0) to execute commands as `root` (UID 0). +Multiple rules are separated by semicolons. +For example, to also allow user with UID 1000 to run commands as the `www` user: + +[.programlisting] +.... +security.mac.do.rules=gid=0>uid=0;uid=1000>uid=80,gid=80 +.... + +After configuration, commands can be executed with elevated privileges: + +[source,shell] +.... +$ mdo vi /etc/rc.conf +.... + +To start an interactive root shell: + +[source,shell] +.... +$ mdo -i +.... + +For more information, see man:mdo[1] and man:mac_do[4]. + [[security-ids]] == Intrusion Detection System (IDS)