diff options
Diffstat (limited to 'usr.sbin/ugidfw/ugidfw.8')
| -rw-r--r-- | usr.sbin/ugidfw/ugidfw.8 | 360 |
1 files changed, 0 insertions, 360 deletions
diff --git a/usr.sbin/ugidfw/ugidfw.8 b/usr.sbin/ugidfw/ugidfw.8 deleted file mode 100644 index a639d43..0000000 --- a/usr.sbin/ugidfw/ugidfw.8 +++ /dev/null @@ -1,360 +0,0 @@ -.\" Copyright (c) 2002, 2004 Networks Associates Technology, Inc. -.\" All rights reserved. -.\" -.\" This software was developed for the FreeBSD Project by Chris -.\" Costello at Safeport Network Services and NAI Labs, the Security -.\" Research Division of Network Associates, Inc. under DARPA/SPAWAR -.\" contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA CHATS -.\" research program. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $FreeBSD$ -.\" -.Dd February 24, 2004 -.Dt UGIDFW 8 -.Os -.Sh NAME -.Nm ugidfw -.Nd "firewall-like access controls for file system objects" -.Sh SYNOPSIS -.Nm -.Cm add -.Cm subject -.Op Cm not -.Oo -.Op Cm \&! -.Cm uid Ar uid | minuid:maxuid -.Oc -.Oo -.Op Cm \&! -.Cm gid Ar gid | mingid:maxgid -.Oc -.Oo -.Op Cm \&! -.Cm jailid Ad jailid -.Oc -.Cm object -.Op Cm not -.Oo -.Op Cm \&! -.Cm uid Ar uid | minuid:maxuid -.Oc -.Oo -.Op Cm \&! -.Cm gid Ar gid | mingid:maxgid -.Oc -.Oo -.Op Cm \&! -.Cm filesys Ad path -.Oc -.Oo -.Op Cm \&! -.Cm suid -.Oc -.Oo -.Op Cm \&! -.Cm sgid -.Oc -.Oo -.Op Cm \&! -.Cm uid_of_subject -.Oc -.Oo -.Op Cm \&! -.Cm gid_of_subject -.Oc -.Oo -.Op Cm \&! -.Cm type Ar ardbclsp -.Oc -.Cm mode -.Ar arswxn -.Nm -.Cm list -.Nm -.Cm set -.Ar rulenum -.Cm subject -.Op Cm not -.Oo -.Op Cm \&! -.Cm uid Ar uid | minuid:maxuid -.Oc -.Oo -.Op Cm \&! -.Cm gid Ar gid | mingid:maxgid -.Oc -.Oo -.Op Cm \&! -.Cm jailid Ad jailid -.Oc -.Cm object -.Op Cm not -.Oo -.Op Cm \&! -.Cm uid Ar uid | minuid:maxuid -.Oc -.Oo -.Op Cm \&! -.Cm gid Ar gid | mingid:maxgid -.Oc -.Oo -.Op Cm \&! -.Cm filesys Ad path -.Oc -.Oo -.Op Cm \&! -.Cm suid -.Oc -.Oo -.Op Cm \&! -.Cm sgid -.Oc -.Oo -.Op Cm \&! -.Cm uid_of_subject -.Oc -.Oo -.Op Cm \&! -.Cm gid_of_subject -.Oc -.Oo -.Op Cm \&! -.Cm type Ar ardbclsp -.Oc -.Cm mode -.Ar arswxn -.Nm -.Cm remove -.Ar rulenum -.Sh DESCRIPTION -The -.Nm -utility provides an -.Xr ipfw 8 Ns -like -interface to manage access to file system objects by UID and GID, -supported by the -.Xr mac_bsdextended 4 -.Xr mac 9 -policy. -.Pp -The arguments are as follows: -.Bl -tag -width indent -offset indent -.It Xo -.Cm add -.Cm subject -.Ar ... -.Cm object -.Ar ... -.Cm mode -.Ar arswxn -.Xc -Add a new rule, automatically selecting the rule number. -See the description of -.Cm set -for syntax information. -.It Cm list -Produces a list of all the current -.Nm -rules in the system. -.It Xo -.Cm set Ar rulenum -.Cm subject -.Ar ... -.Cm object -.Ar ... -.Cm mode -.Ar arswxn -.Xc -Add a new rule or modify an existing rule. -The arguments are as follows: -.Bl -tag -width ".Ar rulenum" -.It Ar rulenum -Rule number. -Entries with a lower rule number -are applied first; -placing the most frequently-matched rules at the beginning of the list -(i.e., lower-numbered) -will yield a slight performance increase. -.It Xo -.Cm subject -.Op Cm not -.Oo -.Op Cm \&! -.Cm uid Ar uid | minuid:maxuid -.Oc -.Oo -.Op Cm \&! -.Cm gid Ar gid | mingid:maxgid -.Oc -.Oo -.Op Cm \&! -.Cm jailid Ad jailid -.Oc -.Xc -Subjects performing an operation must match all the conditions given. -A leading -.Cm not -means that the subject should not match the remainder of the specification. -A condition may be prefixed by -.Cm \&! -to indicate that particular condition must not match the subject. -The subject can be required to have a particular -.Ar uid -and/or -.Ar gid . -A range of uids/gids can be specified, separated by a colon. -The subject can be required to be in a particular jail with the -.Ar jailid . -.It Xo -.Cm object -.Op Cm not -.Oo -.Op Cm \&! -.Cm uid Ar uid | minuid:maxuid -.Oc -.Oo -.Op Cm \&! -.Cm gid Ar gid | mingid:maxgid -.Oc -.Oo -.Op Cm \&! -.Cm filesys Ad path -.Oc -.Oo -.Op Cm \&! -.Cm suid -.Oc -.Oo -.Op Cm \&! -.Cm sgid -.Oc -.Oo -.Op Cm \&! -.Cm uid_of_subject -.Oc -.Oo -.Op Cm \&! -.Cm gid_of_subject -.Oc -.Oo -.Op Cm \&! -.Cm type Ar ardbclsp -.Oc -.Xc -The rule will apply only to objects matching all the specified conditions. -A leading -.Cm not -means that the object should not match all the remaining conditions. -A condition may be prefixed by -.Cm \&! -to indicate that particular condition must not match the object. -Objects can be required to be owned by the user and/or group specified by -.Ar uid -and/or -.Ar gid . -A range of uids/gids can be specified, separated by a colon. -The object can be required to be in a particular filesystem by -specifying the filesystem using -.Cm filesys . -Note, -if the filesystem is unmounted and remounted, -then the rule may need to be reapplied to ensure the correct filesystem -id is used. -The object can be required to have the -.Cm suid -or -.Cm sgid -bits set. -The owner of the object can be required to match the -.Cm uid_of_subject -or the -.Cm gid_of_subject -attempting the operation. -The type of the object can be restricted to a subset of -the following types. -.Pp -.Bl -tag -width ".Cm w" -compact -offset indent -.It Cm a -any file type -.It Cm r -a regular file -.It Cm d -a directory -.It Cm b -a block special device -.It Cm c -a character special device -.It Cm l -a symbolic link -.It Cm s -a unix domain socket -.It Cm p -a named pipe (FIFO) -.El -.It Cm mode Ar arswxn -Similar to -.Xr chmod 1 , -each character represents an access mode. -If the rule applies, -the specified access permissions are enforced -for the object. -When a character is specified in the rule, -the rule will allow for the operation. -Conversely, not including it will cause the operation -to be denied. -The definitions of each character are as follows: -.Pp -.Bl -tag -width ".Cm w" -compact -offset indent -.It Cm a -administrative operations -.It Cm r -read access -.It Cm s -access to file attributes -.It Cm w -write access -.It Cm x -execute access -.It Cm n -none -.El -.El -.It Cm remove Ar rulenum -Disable and remove the rule with the specified rule number. -.El -.Sh SEE ALSO -.Xr mac_bsdextended 4 , -.Xr mac 9 -.Sh HISTORY -The -.Nm -utility first appeared in -.Fx 5.0 . -.Sh AUTHORS -This software was contributed to the -.Fx -Project by NAI Labs, the Security Research Division of Network Associates -Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 -.Pq Dq CBOSS , -as part of the DARPA CHATS research program. |
