| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
| 1 | .\" $NetBSD: secmodel_suser.9,v 1.3 2009/10/02 20:31:19 elad Exp $ | | 1 | .\" $NetBSD: secmodel_suser.9,v 1.4 2009/10/03 07:37:01 wiz Exp $ |
| 2 | .\" | | 2 | .\" |
| 3 | .\" Copyright (c) 2009 Elad Efrat <elad@NetBSD.org> | | 3 | .\" Copyright (c) 2009 Elad Efrat <elad@NetBSD.org> |
| 4 | .\" All rights reserved. | | 4 | .\" All rights reserved. |
| 5 | .\" | | 5 | .\" |
| 6 | .\" Redistribution and use in source and binary forms, with or without | | 6 | .\" Redistribution and use in source and binary forms, with or without |
| 7 | .\" modification, are permitted provided that the following conditions | | 7 | .\" modification, are permitted provided that the following conditions |
| 8 | .\" are met: | | 8 | .\" are met: |
| 9 | .\" 1. Redistributions of source code must retain the above copyright | | 9 | .\" 1. Redistributions of source code must retain the above copyright |
| 10 | .\" notice, this list of conditions and the following disclaimer. | | 10 | .\" notice, this list of conditions and the following disclaimer. |
| 11 | .\" 2. Redistributions in binary form must reproduce the above copyright | | 11 | .\" 2. Redistributions in binary form must reproduce the above copyright |
| 12 | .\" notice, this list of conditions and the following disclaimer in the | | 12 | .\" notice, this list of conditions and the following disclaimer in the |
| 13 | .\" documentation and/or other materials provided with the distribution. | | 13 | .\" documentation and/or other materials provided with the distribution. |
| 14 | .\" 3. The name of the author may not be used to endorse or promote products | | 14 | .\" 3. The name of the author may not be used to endorse or promote products |
| @@ -25,28 +25,27 @@ | | | @@ -25,28 +25,27 @@ |
| 25 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | | 25 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 26 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | | 26 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 27 | .\" | | 27 | .\" |
| 28 | .Dd October 2, 2009 | | 28 | .Dd October 2, 2009 |
| 29 | .Dt SECMODEL_SUSER 9 | | 29 | .Dt SECMODEL_SUSER 9 |
| 30 | .Os | | 30 | .Os |
| 31 | .Sh NAME | | 31 | .Sh NAME |
| 32 | .Nm secmodel_suser | | 32 | .Nm secmodel_suser |
| 33 | .Nd super-user security model | | 33 | .Nd super-user security model |
| 34 | .Sh DESCRIPTION | | 34 | .Sh DESCRIPTION |
| 35 | .Nm | | 35 | .Nm |
| 36 | implements the traditional | | 36 | implements the traditional |
| 37 | .Em super-user | | 37 | .Em super-user |
| 38 | (root) as the user with effective user-id | | 38 | (root) as the user with effective user-id 0. |
| 39 | 0. | | | |
| 40 | The | | 39 | The |
| 41 | .Em super-user | | 40 | .Em super-user |
| 42 | is the host administrator, considered to have higher privileges than other | | 41 | is the host administrator, considered to have higher privileges than other |
| 43 | users. | | 42 | users. |
| 44 | .Pp | | 43 | .Pp |
| 45 | The following | | 44 | The following |
| 46 | .Xr sysctl 3 | | 45 | .Xr sysctl 3 |
| 47 | variables are exported: | | 46 | variables are exported: |
| 48 | .Bl -tag -width compact | | 47 | .Bl -tag -width compact |
| 49 | .It security.models.suser.curtain | | 48 | .It security.models.suser.curtain |
| 50 | If non-zero, will filter returned objects according to the user-id | | 49 | If non-zero, will filter returned objects according to the user-id |
| 51 | requesting information about them, preventing from users any access to | | 50 | requesting information about them, preventing from users any access to |
| 52 | objects they don't own. | | 51 | objects they don't own. |
| @@ -57,29 +56,29 @@ At the moment, it affects | | | @@ -57,29 +56,29 @@ At the moment, it affects |
| 57 | (for | | 56 | (for |
| 58 | .Dv PF_INET , | | 57 | .Dv PF_INET , |
| 59 | .Dv PF_INET6 , | | 58 | .Dv PF_INET6 , |
| 60 | and | | 59 | and |
| 61 | .Dv PF_UNIX | | 60 | .Dv PF_UNIX |
| 62 | PCBs), and | | 61 | PCBs), and |
| 63 | .Xr w 1 . | | 62 | .Xr w 1 . |
| 64 | .It security.models.suser.usermount | | 63 | .It security.models.suser.usermount |
| 65 | Allow non-superuser mounts. | | 64 | Allow non-superuser mounts. |
| 66 | .Pp | | 65 | .Pp |
| 67 | If non-zero, file-systems are allowed to be mounted by an ordinary user who | | 66 | If non-zero, file-systems are allowed to be mounted by an ordinary user who |
| 68 | owns the point | | 67 | owns the point |
| 69 | .Ar node | | 68 | .Ar node |
| 70 | and has at least read access to the | | 69 | and has at least read access to the |
| 71 | .Ar special | | 70 | .Ar special |
| 72 | device | | 71 | device |
| 73 | .Xr mount 8 | | 72 | .Xr mount 8 |
| 74 | arguments. | | 73 | arguments. |
| 75 | Finally, the flags | | 74 | Finally, the flags |
| 76 | .Cm nosuid | | 75 | .Cm nosuid |
| 77 | and | | 76 | and |
| 78 | .Cm nodev | | 77 | .Cm nodev |
| 79 | must be given for non-superuser mounts. | | 78 | must be given for non-superuser mounts. |
| 80 | .El | | 79 | .El |
| 81 | .Sh SEE ALSO | | 80 | .Sh SEE ALSO |
| 82 | .Xr kauth 9 , | | 81 | .Xr kauth 9 , |
| 83 | .Xr secmodel 9 , | | 82 | .Xr secmodel 9 , |
| 84 | .Xr secmodel_bsd44 9 | | 83 | .Xr secmodel_bsd44 9 |
| 85 | .Sh AUTHORS | | 84 | .Sh AUTHORS |