Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- ####
- # Sample startup policy for the mac_bsdextended(4) security module.
- #
- # Suck in the system configuration variables.
- ####
- if [ -z "${source_rc_confs_defined}" ]; then
- if [ -r /etc/defaults/rc.conf ]; then
- . /etc/defaults/rc.conf
- source_rc_confs
- elif [ -r /etc/rc.conf ]; then
- . /etc/rc.conf
- fi
- fi
- ####
- # Set ugidfw(8) to CMD:
- ####
- CMD=/usr/sbin/ugidfw
- # For apache to read user files, the ruleadd must give
- # it permissions by default.
- ####
- #${CMD} add subject uid 80 object not uid 80 mode rxws;
- #${CMD} add subject gid 80 object not gid 80 mode rxws;
- ####
- # This is for root:
- ${CMD} add subject uid 0 object not uid 0 mode arxws;
- ${CMD} add subject gid 0 object not gid 0 mode arxws;
- ####
- # And for bin:
- ${CMD} add subject uid 3 object not uid 3 mode rxws;
- ${CMD} add subject gid 7 object not gid 7 mode rxws;
- ####
- # And for mailnull:
- ${CMD} add subject uid 26 object not uid 26 mode rxws;
- ${CMD} add subject gid 26 object not gid 26 mode rxws;
- # For the nobody account:
- ${CMD} add subject uid 65534 object not uid 65534 mode rxws;
- ${CMD} add subject gid 65534 object not gid 65534 mode rxws;
- #wheel group is an exception
- ${CMD} add subject uid lix object uid lix gid 0 mode arswx;
- ####
- # NOTICE: The next script adds a rule to allow
- # access their mailbox which is owned by GID `6'.
- # Removing this will give mailbox lock issues.
- for x in `awk -F: '($3 >= 1001) && ($3 < 65534) { print $1 }' /etc/passwd`;
- do ${CMD} add subject uid $x object gid 6 mode arwxs;
- done;
- #Deny everything if the uid is not matching
- for x in `awk -F: '($3 >= 1001) && ($3 < 65534) { print $1 }' /etc/passwd`;
- do ${CMD} add subject not uid $x object uid $x mode n;
- done;
- #root:wheel files are readable and executable
- for x in `awk -F: '($3 >= 1001) && ($3 < 65534) { print $1 }' /etc/passwd`;
- do ${CMD} add subject uid $x object uid root type r mode rsx;
- done;
- for x in `awk -F: '($3 >= 1001) && ($3 < 65534) { print $1 }' /etc/passwd`;
- do ${CMD} add subject uid $x object gid wheel type r mode rsx;
- done;
- #root:wheel directories are not listable
- for x in `awk -F: '($3 >= 1001) && ($3 < 65534) { print $1 }' /etc/passwd`;
- do ${CMD} add subject uid $x object uid root type d mode sx;
- done;
- for x in `awk -F: '($3 >= 1001) && ($3 < 65534) { print $1 }' /etc/passwd`;
- do ${CMD} add subject uid $x object gid wheel type d mode sx;
- done;
- #wheel group is an exception
- ${CMD} add subject uid lix object uid lix gid 0 mode arswx;
Add Comment
Please, Sign In to add comment