This example considers a relatively small storage system with fewer than fifty users. Users will have login capabilities and are permitted to store data and access resources.
For this scenario, the mac_bsdextended(4) and mac_seeotheruids(4) policy modules could co-exist and block access to system objects while hiding user processes.
Begin by adding the following line to
/boot/loader.conf:
mac_seeotheruids_load="YES"
The mac_bsdextended(4) security policy module may be
activated by adding this line to
/etc/rc.conf:
ugidfw_enable="YES"
Default rules stored in
/etc/rc.bsdextended will be loaded at
system initialization. However, the default entries may need
modification. Since this machine is expected only to service
users, everything may be left commented out except the last
two lines in order to force the loading of user owned system
objects by default.
Add the required users to this machine and reboot. For
testing purposes, try logging in as a different user across
two consoles. Run ps aux to see if processes
of other users are visible. Verify that running ls(1) on
another user's home directory fails.
Do not try to test with the root user unless the specific
sysctls have been modified to block super
user access.
When a new user is added, their mac_bsdextended(4) rule will not be in the ruleset list. To update the ruleset quickly, unload the security policy module and reload it again using kldunload(8) and kldload(8).
All FreeBSD documents are available for download at https://download.freebsd.org/ftp/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.