From fb8085a2816b3e9f125e38ac0f1c0fe76881b95c Mon Sep 17 00:00:00 2001 From: Chris Costello Date: Thu, 17 Oct 2002 01:54:37 +0000 Subject: [PATCH] Add a man page for ugidfw(8). Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs --- usr.sbin/ugidfw/ugidfw.8 | 176 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 176 insertions(+) create mode 100644 usr.sbin/ugidfw/ugidfw.8 diff --git a/usr.sbin/ugidfw/ugidfw.8 b/usr.sbin/ugidfw/ugidfw.8 new file mode 100644 index 000000000000..d628d4d3fb59 --- /dev/null +++ b/usr.sbin/ugidfw/ugidfw.8 @@ -0,0 +1,176 @@ +.\" Copyright (c) 2002 Networks Associates Technology, Inc. +.\" All rights reserved. +.\" +.\" This software was developed for the FreeBSD Project by Chris +.\" Costello at Safeport Network Services and NAI Labs, the Security +.\" Research Division of Network Associates, Inc. under DARPA/SPAWAR +.\" contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA CHATS +.\" research program. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. The names of the authors may not be used to endorse or promote +.\" products derived from this software without specific prior written +.\" permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.Dd OCTOBER 11, 2002 +.Dt UGIDFW 8 +.Sh NAME +.Nm ugidfw +.Nd firewall-like access controls for file system objects +.Sh SYNOPSIS +.Nm +.Cm list +.Nm +.Cm set +.Ar rulenum +.Cm subject +.Op Cm not +.Op uid Ar uid +.Op gid Ar gid +.Cm object +.Op Cm not +.Op Cm uid Ar uid +.Op Cm gid Ar gid +.Cm mode +.Ar arswxn +.Nm +.Cm remove +.Ar rulenum +.Sh DESCRIPTION +The +.Nm +command provides an +.Xr ipfw 8 Ns -like +interface to manage accesses to file system objects by UID and GID, +supported by the +.Nm mac_bsdextended +.Xr mac 9 +policy. +.Pp +The arguments are as follows: +.Bl -tag -width 6n -offset indent +.It Cm list +Produces a list of all the current +.Nm +rules in the system. +.It Xo +.Cm set Ar rulenum +.Cm subject +.Op Cm not +.Op uid Ar uid +.Op gid Ar gid +.Cm object +.Op Cm not +.Op Cm uid Ar uid +.Op Cm gid Ar gid +.Cm mode +.Ar arswxn +.Xc +Add a new rule or modify an existing rule. +The arguments are as follows: +.Bl -tag -width 7n +.It Ar rulenum +Rule number. +Entries with a lower rule number +are applied first; +placing the most frequently-matched rules at the beginning of the list +(i.e. lower-numbered) +will yield a slight performance increase. +.It Xo +.Cm subject +.Op Cm not +.Op Cm uid Ar uid +.Op Cm gid Ar gid +.Xc +Subjects performing an operation must match +(or, if +.Dq not +is specified, must +.Em not +match) +the user and group specified by +.Ar uid +and/or +.Ar gid +for the rule to be applied. +.It Xo +.Cm object +.Op Cm not +.Op Cm uid Ar uid +.Op Cm gid Ar gid +.Xc +Objects must be owned by +(or, if +.Dq not +is specified, must +.Em not +be owned by) +the user and/or group specified by +.Ar uid +and/or +.Ar gid +for the rule to be applied. +.It Cm mode Ar arswxn +Similar to +.Xr chmod 1 , +each character represents an access mode. +If the rule applies, +the specified access permissions are enforced +for the object. +When a character is specified in the rule, +the rule will allow for the operation. +Conversely, not including it will cause the operation +to be denied. +The definitions of each character are as follows: +.Bl -tag -width 3n -compact -offset indent +.It Sq a +Administrative operations +.It Sq r +Read access +.It Sq s +Access to file attributes +.It Sq w +Write access +.It Sq x +Execute access +.It Sq n +None +.El +.El +.It Cd remove Ar rulenum +Disable and remove the rule with the specified rule number. +.El +. +.Sh SEE ALSO +.Xr mac 9 +.Sh HISTORY +The +.Nm +command first appeared in +.Fx 5.0 . +.Sh AUTHORS +This software was contributed to the +.Fx +Project by NAI Labs, the Security Research Division of Network Associates Inc. +under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), +as part of the DARPA CHATS research program.