API tools faq
paste
Guest User

Untitled

a guest
Jun 21st, 2018
89
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.53 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/sh
  2. ####
  3. # Sample startup policy for the mac_bsdextended(4) security module.
  4. #
  5. # Suck in the system configuration variables.
  6. ####
  7. if [ -z "${source_rc_confs_defined}" ]; then
  8. if [ -r /etc/defaults/rc.conf ]; then
  9. . /etc/defaults/rc.conf
  10. source_rc_confs
  11. elif [ -r /etc/rc.conf ]; then
  12. . /etc/rc.conf
  13. fi
  14. fi
  15.  
  16. ####
  17. # Set ugidfw(8) to CMD:
  18. ####
  19. CMD=/usr/sbin/ugidfw
  20.  
  21. # For apache to read user files, the ruleadd must give
  22. # it permissions by default.
  23. ####
  24. #${CMD} add subject uid 80 object not uid 80 mode rxws;
  25. #${CMD} add subject gid 80 object not gid 80 mode rxws;
  26.  
  27.  
  28. ####
  29. # This is for root:
  30. ${CMD} add subject uid 0 object not uid 0 mode arxws;
  31. ${CMD} add subject gid 0 object not gid 0 mode arxws;
  32.  
  33. ####
  34. # And for bin:
  35. ${CMD} add subject uid 3 object not uid 3 mode rxws;
  36. ${CMD} add subject gid 7 object not gid 7 mode rxws;
  37.  
  38. ####
  39. # And for mailnull:
  40. ${CMD} add subject uid 26 object not uid 26 mode rxws;
  41. ${CMD} add subject gid 26 object not gid 26 mode rxws;
  42.  
  43. # For the nobody account:
  44. ${CMD} add subject uid 65534 object not uid 65534 mode rxws;
  45. ${CMD} add subject gid 65534 object not gid 65534 mode rxws;
  46.  
  47. #wheel group is an exception
  48. ${CMD} add subject uid lix object uid lix gid 0 mode arswx;
  49.  
  50. ####
  51. # NOTICE: The next script adds a rule to allow
  52. # access their mailbox which is owned by GID `6'.
  53. # Removing this will give mailbox lock issues.
  54. for x in `awk -F: '($3 >= 1001) && ($3 < 65534) { print $1 }' /etc/passwd`;
  55. do ${CMD} add subject uid $x object gid 6 mode arwxs;
  56. done;
  57.  
  58. #Deny everything if the uid is not matching
  59. for x in `awk -F: '($3 >= 1001) && ($3 < 65534) { print $1 }' /etc/passwd`;
  60. do ${CMD} add subject not uid $x object uid $x mode n;
  61. done;
  62. #root:wheel files are readable and executable
  63. for x in `awk -F: '($3 >= 1001) && ($3 < 65534) { print $1 }' /etc/passwd`;
  64. do ${CMD} add subject uid $x object uid root type r mode rsx;
  65. done;
  66. for x in `awk -F: '($3 >= 1001) && ($3 < 65534) { print $1 }' /etc/passwd`;
  67. do ${CMD} add subject uid $x object gid wheel type r mode rsx;
  68. done;
  69. #root:wheel directories are not listable
  70. for x in `awk -F: '($3 >= 1001) && ($3 < 65534) { print $1 }' /etc/passwd`;
  71. do ${CMD} add subject uid $x object uid root type d mode sx;
  72. done;
  73. for x in `awk -F: '($3 >= 1001) && ($3 < 65534) { print $1 }' /etc/passwd`;
  74. do ${CMD} add subject uid $x object gid wheel type d mode sx;
  75. done;
  76.  
  77. #wheel group is an exception
  78. ${CMD} add subject uid lix object uid lix gid 0 mode arswx;
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!