# Activation of MAC_SEEOTHERUIDS policy



## French Fries (Aug 15, 2017)

Dear Friends,

Pardon my ignorance, but I would like to implement MAC_SEEOTHERUIDS as explained in:

https://www.freebsd.org/doc/el/books/handbook/mac-modules.html


```
Kernel configuration line: options MAC_SEEOTHERUIDS
Boot option: mac_seeotheruids_load="YES"
```

I added mac_seeotheruids_load="YES" to /boot/loader.conf

Where to implement:

```
options MAC_SEEOTHERUIDS
```
?

My board is a beagleBone Black, I hope that it has the requested kernel modules.
For a newcomer like me, "Kernel configuration line" is not clear enough.

Thank you


----------



## ondra_knezour (Aug 15, 2017)

Configuring custom kernel

You can choose here if you would prefer to load given module dynamically (via the /boot/loader.conf file) or link it statically into your custom built kernel (using the options MAC_SEEOTHERUIDS option).

Side note - try to use links to the English versions of documents where those exists. That may help others to get quick glance what you are talking about. You wouldn't be probably too surprised that I was not able to say where in documentation I am in the Greek version linked above


----------



## k.jacker (Aug 15, 2017)

Hei,

I haven't used it myself but mac_seeotheruid.ko looks like a kernel module that extends `sysctl security.bsd.see_other_uids` functionality.

```
% sysctl -a | grep uids
security.bsd.see_other_uids: 1
```

after `kldload mac_seeotheruids` it should look like that:

```
% sysctl -a | grep uids
security.mac.seeotheruids.specificgid: 0
security.mac.seeotheruids.specificgid_enabled: 0
security.mac.seeotheruids.suser_privileged: 1
security.mac.seeotheruids.primarygroup_enabled: 0
security.mac.seeotheruids.enabled: 1
security.bsd.see_other_uids: 1
```

If the kernel module is available you make it load at boot time by adding _mac_seeotheruids_load="YES" to /boot/loader.conf_
(from the manpage mac_seeotheruids(4) noted in the Handbook page you postet)

Than you configure it by using e.g. `sysctl security.mac.seeotheruids.specificgid=[I]n[/I]`

When you're happy add settings to /etc/sysctl.conf to be applied at boot time.


Greetings
Matthias


----------



## French Fries (Aug 15, 2017)

Thank you all.



ondra_knezour said:


> Configuring custom kernel
> Side note - try to use links to the English versions of documents where those exists. That may help others to get quick glance what you are talking about. You wouldn't be probably too surprised that I was not able to say where in documentation I am in the Greek version linked above



I included a link to documentation, do mean I should also quote the documentation for easy reading. Sure!

`kldload mac_seeotheruids`
returns an error message 'no such file'/

It is probably that the Beaglebone black kernel is stipped-down  and I need to recompile or fetch a full-kernel.
In fact, I will study all this on my server and not on an embedded platform.

Thanks!


----------



## k.jacker (Aug 15, 2017)

Hei French Fries,

Sad to see the kernel module does not exist for the beagle bone.
I'm not sure where to go from here. There need at least to be kernel sources for arm(??) to compile but I have no idea how that is handled since I never had any none-x86 in use.



French Fries said:


> In fact, I will study all this on my server and not on an embedded platform.


Good idea to learn how it works


----------



## SirDice (Aug 16, 2017)

k.jacker said:


> There need at least to be kernel sources for arm(??) to compile but I have no idea how that is handled since I never had any none-x86 in use.


There is only one source tree. You use the exact same source tree on AMD64, i386, in your case, ARM, and every other supported architecture.

That said, I'm not certain if MAC is actually supported on ARM. I would guess it is but it may not be enabled by default (to keep things to a minimum for embedded systems).


----------

