# How to manage multiple uid/gid in mac.seeotheruids.specificgid



## kavitakr (Jul 13, 2020)

HI

I am _reading_ MAC See Other UIDs Policy [https://www.freebsd.org/doc/handbook/mac-policies.html]
What if we need to allow multiple gid/uids to have access to see processes/sockets

How to manage such situation?


----------



## Mjölnir (Jul 13, 2020)

RTFM *15.5.1. The MAC See Other UIDs Policy*
Module name: mac_seeotheruids.ko

Kernel configuration line: `options MAC_SEEOTHERUIDS`

Boot option: `mac_seeotheruids_load="YES"`

The mac_seeotheruids(4) module extends the _security.bsd.see_other_uids_ and _security.bsd.see_other_gids_ sysctl tunables. This option does not require any labels to be set before configuration and can operate transparently with other modules.

After loading the module, the following sysctl tunables may be used to control its features:

_security.mac.seeotheruids.enabled_ enables the module and implements the default settings which deny users the ability to view processes and sockets owned by other users.
_security.mac.seeotheruids.specificgid_enabled_ allows specified groups to be exempt from this policy. To exempt specific groups, use the _security.mac.seeotheruids.specificgid=XXX_ sysctl tunable, replacing _XXX_ with the numeric group ID to be exempted.
_security.mac.seeotheruids.primarygroup_enabled_ is used to exempt specific primary groups from this policy. When using this tunable, _security.mac.seeotheruids.specificgid_enabled_ may not be set.
EDIT IMHO that's not possible.  Would be more or less easy to patch, but for the time beeing I see no other choice than to create a (one) group for that and add the users in question to this group.  Or you use some existing group, e.g. _staff_ or _operator_.
2nd EDIT: Consider filing in a bug report on the handbook.  It says "groups" instead of "one specific group", which is misleading.


----------



## kavitakr (Jul 13, 2020)

I have enabled  options MAC_SEEOTHERUIDS in my kernel

```
#Hide UID and GID from other users,except gid 900 (admin)
security.mac.seeotheruids.specificgid=900
security.mac.seeotheruids.specificgid_enabled=1
```
So only processes with gid 900 can have access, I want add multiple gids to be allowed. Is it possible ?


----------



## Mjölnir (Jul 13, 2020)

I edited my previous post, please reload.  The sysctl knob takes only one GID.


----------

