|
Unix VPS
Support
FAQ
Network
Miscellaneous
|
| UGIDFW(8) | FreeBSD System Manager's Manual | UGIDFW(8) |
NAME
ugidfw —
firewall-like access controls for file system objects
SYNOPSIS
ugidfw |
add subject
[not] [[!]
uid uid |
minuid:maxuid] [[!]
gid gid |
mingid:maxgid] [[!]
jailid jailid]
object [not]
[[!] uid
uid | minuid:maxuid]
[[!] gid
gid | mingid:maxgid]
[[!] filesys
path] [[!]
suid] [[!]
sgid] [[!]
uid_of_subject] [[!]
gid_of_subject] [[!]
type ardbclsp]
mode arswxn |
ugidfw |
list |
ugidfw |
set rulenum
subject [not]
[[!] uid
uid | minuid:maxuid]
[[!] gid
gid | mingid:maxgid]
[[!] jailid
jailid] object
[not] [[!]
uid uid |
minuid:maxuid] [[!]
gid gid |
mingid:maxgid] [[!]
filesys path]
[[!] suid]
[[!] sgid]
[[!] uid_of_subject]
[[!] gid_of_subject]
[[!] type
ardbclsp] mode
arswxn |
ugidfw |
remove rulenum |
DESCRIPTION
Theugidfw utility provides an
ipfw(8)-like
interface to manage access to file system objects by UID and GID, supported by
the
mac_bsdextended(4)
mac(9)
policy.
The arguments are as follows:
addsubject...object...modearswxn- Add a new rule, automatically selecting the rule number. See the
description of
setfor syntax information. list- Produces a list of all the current
ugidfwrules in the system. setrulenumsubject...object...modearswxn- Add a new rule or modify an existing rule. The arguments are as follows:
- rulenum
- Rule number. Entries with a lower rule number are applied first; placing the most frequently-matched rules at the beginning of the list (i.e., lower-numbered) will yield a slight performance increase.
subject[not] [[!]uiduid | minuid:maxuid] [[!]gidgid | mingid:maxgid] [[!]jailidjailid]- Subjects performing an operation must match all the conditions given.
A leading
notmeans that the subject should not match the remainder of the specification. A condition may be prefixed by!to indicate that particular condition must not match the subject. The subject can be required to have a particular uid and/or gid. A range of uids/gids can be specified, separated by a colon. The subject can be required to be in a particular jail with the jailid. object[not] [[!]uiduid | minuid:maxuid] [[!]gidgid | mingid:maxgid] [[!]filesyspath] [[!]suid] [[!]sgid] [[!]uid_of_subject] [[!]gid_of_subject] [[!]typeardbclsp]- The rule will apply only to objects matching all the specified
conditions. A leading
notmeans that the object should not match all the remaining conditions. A condition may be prefixed by!to indicate that particular condition must not match the object. Objects can be required to be owned by the user and/or group specified by uid and/or gid. A range of uids/gids can be specified, separated by a colon. The object can be required to be in a particular filesystem by specifying the filesystem usingfilesys. Note, if the filesystem is unmounted and remounted, then the rule may need to be reapplied to ensure the correct filesystem id is used. The object can be required to have thesuidorsgidbits set. The owner of the object can be required to match theuid_of_subjector thegid_of_subjectattempting the operation. The type of the object can be restricted to a subset of the following types. modearswxn- Similar to chmod(1), each character represents an access mode. If the rule applies, the specified access permissions are enforced for the object. When a character is specified in the rule, the rule will allow for the operation. Conversely, not including it will cause the operation to be denied. The definitions of each character are as follows:
removerulenum- Disable and remove the rule with the specified rule number.
SEE ALSO
mac_bsdextended(4), mac(9)HISTORY
Theugidfw utility first appeared in
FreeBSD 5.0.
AUTHORS
This software was contributed to the FreeBSD Project by NAI Labs, the Security Research Division of Network Associates Inc. under DARPA/SPAWAR contract N66001-01-C-8035 (“CBOSS”), as part of the DARPA CHATS research program.| February 24, 2004 | FreeBSD 13.1-RELEASE |
Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.