Skip to content

handbook/security: document mdo(1) for privilege escalation #631

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kovan wants to merge 1 commit into
base: main
Choose a base branch
from
Open

handbook/security: document mdo(1) for privilege escalation #631

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 56 additions & 1 deletion documentation/content/en/books/handbook/security/_index.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ part: Part III. System Administration
prev: books/handbook/boot
next: books/handbook/jails
description: Hundreds of standard practices have been authored about how to secure systems and networks, and as a user of FreeBSD, understanding how to protect against attacks and intruders is a must
tags: ["security", "TCP Wrappers", "Kerberos", "OpenSSL", "OpenSSH", "ACL", "NFSv4 ACLs", "advisories", "sudo", "doas", "capsicum", "monitoring"]
tags: ["security", "TCP Wrappers", "Kerberos", "OpenSSL", "OpenSSH", "ACL", "NFSv4 ACLs", "advisories", "sudo", "doas", "mdo", "capsicum", "monitoring"]
showBookMenu: true
weight: 20
params:
Expand Down Expand Up @@ -410,6 +410,61 @@ $ doas vi /etc/rc.conf

For more configuration examples, please read man:doas.conf[5].

[[security-mdo]]
=== Shared Administration with mdo

man:mdo[1] is a built-in FreeBSD utility for executing commands as a different user.
Unlike man:sudo[8] and man:doas[1], mdo requires no additional package installation.
It uses the man:mac_do[4] kernel module, which is part of the FreeBSD Mandatory Access Control (MAC) framework.

To use mdo, first load the man:mac_do[4] kernel module:

[source,shell]
....
# kldload mac_do
....

To load the module at boot, add it to [.filename]#/etc/rc.conf#:

[source,shell]
....
kld_list="${kld_list} mac_do"
....

Rules are configured via man:sysctl[8].
Add the following to [.filename]#/etc/sysctl.conf# to enable mdo and define transition rules:

[.programlisting]
....
security.mac.do.enabled=1
security.mac.do.rules=gid=0>uid=0
....

The rule `gid=0>uid=0` allows members of the `wheel` group (GID 0) to execute commands as `root` (UID 0).
Multiple rules are separated by semicolons.
For example, to also allow user with UID 1000 to run commands as the `www` user:

[.programlisting]
....
security.mac.do.rules=gid=0>uid=0;uid=1000>uid=80,gid=80
....

After configuration, commands can be executed with elevated privileges:

[source,shell]
....
$ mdo vi /etc/rc.conf
....

To start an interactive root shell:

[source,shell]
....
$ mdo -i
....

For more information, see man:mdo[1] and man:mac_do[4].

[[security-ids]]
== Intrusion Detection System (IDS)

Expand Down
Loading