Playing with mdo(1)

[fernandel]

id -p
uid user
groups wheel operator video user
 mdo -i pkg update
Updating FreeBSD-ports repository catalogue...
FreeBSD-ports repository is up to date.
Updating FreeBSD-ports-kmods repository catalogue...
FreeBSD-ports-kmods repository is up to date.
All repositories are up to date.
id -p
uid    user
groups    wheel operator video user

 

[elephant]

id -p

Thanks fernandel . I can't tell your primary group by the output of 'id -p'. With plain 'id', it looks like this:
$ id
uid=1001(ordinary) gid=1001(ordinary) groups=0(wheel),145(webcamd),1001(ordinary)

Edit: does 'mdo pkg update' work for you? (eg. without the '-i' switch)

 

[fernandel]

id
uid=1001(user) gid=1001(user) groups=0(wheel),5(operator),44(video),1001(user)

 mdo pkg upgrade                                                                
mdo: setcred(): Operation not permitted

 

[elephant]

Thanks fernandel ! That's crazy. I'm experiencing the opposite where 'mdo' works but 'mdo -i' does not.

 

[fernandel]

Thanks fernandel ! That's crazy. I'm experiencing the opposite where 'mdo' works but 'mdo -i' does not.

I do not know if is important that is user in operator group? Mine is but yours is not.

 

[scottro]

elephant my results (this was on the first page of the thread.)

For your earlier question.

mdo -i
root@scott2 scottro $ whoami
root
root@scott2 scottro $ id -p
login scottro
uid root
groups wheel video vboxusers scottro

 

[elephant]

I do not know if is important that is user in operator group? Mine is but yours is not.

As mentioned earlier - I added (and later removed) my login from the operator group. It made no difference.

 

[fernandel]

When you run sysctl security.mac.do.rules='gid=0>uid=0' what happened when you run as user mdo -i something?

 

[elephant]

fernandel that works but I have to specify '-i' everytime and -u no longer works.

If I take your rule and append gid=0,+gid=0,gid=5,+gid=5 then I no longer need '-i'.

Note that both clauses (gid=xxx and +gid=xxx) for wheel and operator need to be specified this way or it doesn't work.

I think this paragraph from the man page may be a clue:

The target process credentials have to be fully specified, either explicitly by listing all attributes and their requested values, or indirectly by establishing a baseline that provides a default value for each attribute, which can be amended by additional options.

The rule I gave explicitly defines the target credentials while fernandel's example requires '-i' (implicit?) to infer the target credentials.

 

[scottro]

To add to an old thread. I had two machines where mdo -i worked as expected. However, on a third machine I'd get
cred() failed: Operation not permitted

It turned out that this was because on the 3rd machine, I wasn't a member of the wheel group. Once I added myself to wheel, logged out and logged back in, mdo worked as expected. I gave a thanks to elephant because his earlier post gave me the clue.

 

[fernandel]

To add to an old thread. I had two machines where mdo -i worked as expected. However, on a third machine I'd get
cred() failed: Operation not permitted

It turned out that this was because on the 3rd machine, I wasn't a member of the wheel group. Once I added myself to wheel, logged out and logged back in, mdo worked as expected. I gave a thanks to elephant because his earlier post gave me the clue.

Did you find something about logs, please?

 

[Hiroo Ono]

Can we log mdo issued by auditd?
If we can log the setcred(2) issued with arguments, but I could not understand well how to do it.

 

[Hiroo Ono]

Not really a problem, but I do not understand this behavior

# sysctl security.mac.do.rules
security.mac.do.rules: uid=169>uid=0,gid=0;gid=0>any

# mdo -u acme mdo ls
mdo: setcred(): Operation not permitted
# mdo -u acme --euid root mdo ls
Makefile        distinfo        files           pkg-descr       pkg-plist

 

[elephant]

Hiroo Ono I'm not familiar with the 'any' keyword inside an mdo rule.

 

[Hiroo Ono]

It turned out to be a simple problem
Setting the rule below and issuing mdo as the user acme(uid=169) does not work.

$ sysctl security.mac.do.rules
security.mac.do.rules: uid=169>uid=0,gid=0

$ mdo  ls
mdo: setcred(): Operation not permitted

 

[elephant]

Hiroo Ono I'm not sure why but adding a ",+gid=0,+gid=5" to the end of the rule might help.
security.mac.do.rules: uid=169>uid=0,gid=0,+gid=0,+gid=5

 

[elephant]

Did you find something about logs, please?

Can we log mdo issued by auditd?
If we can log the setcred(2) issued with arguments, but I could not understand well how to do it.

This would be a nice enhancement. /etc/security/audit_event defines an entry to sudo.

 

[Hiroo Ono]

Hiroo Ono I'm not sure why but adding a ",+gid=0,+gid=5" to the end of the rule might help.
security.mac.do.rules: uid=169>uid=0,gid=0,+gid=0,+gid=5

Thank you. It worked.

 

[fernandel]

What is different between my setting where I need to use mdo -i or elephant which works just with mdo. I think difference related to security, please?

 

[elephant]

I don't full understand -u vs. -i. I should re-read that Journal article.

 

[BigSneakyDuck]

I wish security/doas was in base.

The config is as easy as

permit :wheel

or similar.

One of the advantages of using doas on OpenBSD is that it uses a very secure authentication ticketing system built into the OS itself. FreeBSD doesn't currently support the required TIOCCHKVERAUTH ioctl which is why the doas port doesn't have a working persistence option. There are some technical details here: https://flak.tedunangst.com/post/doas-mastery ; archived at https://web.archive.org/web/20250812140828/https://flak.tedunangst.com/post/doas-mastery

I would also love to see this integrated in base FreeBSD!

 

[fernandel]

One of the advantages of using doas on OpenBSD is that it uses a very secure authentication ticketing system built into the OS itself. FreeBSD doesn't currently support the required TIOCCHKVERAUTH ioctl which is why the doas port doesn't have a working persistence option. There are some technical details here: https://flak.tedunangst.com/post/doas-mastery

I would also love to see this integrated in base FreeBSD!

mdo(1)​

is integrated.

 

[BigSneakyDuck]

mdo(1)​

is integrated.

Indeed, sorry if I wasn't clear but I was agreeing with vyryls that I wished doas(1) was integrated into FreeBSD. But my point was that doing so properly is about more than the current package, it would require changes to the kernel.

mdo(1) is nice too, but is different. For example the lack of logging. In fact if you read the FreeBSD Journal article, it's clear the creators of mdo(1) aren't quite sure what to do with it in the long run and want user feedback: https://freebsdfoundation.org/our-w...redentials-transitions-with-mdo1-and-mac_do4/

The essential message here is that, while we have a few simple short-term plans and more loose longer-term ones, future directions will depend for the most part on current or potential users’ feedback. We are eager to hear suggestions for small improvements or entirely new features, whether you are already using mac_do(4)/mdo(1), are planning to, or would like to but cannot because your use case is not covered by existing functionality. This will help us select what to work on while keeping the overall design sound. Even just saying you’re using them is useful feedback, as it is good to know how many users we have and how they are using these tools.

In the short term, we expect to add auditing-like functionalities to mac_do(4)/mdo(1). Displaying the final credentials passed to the kernel would help check if the invocation was correct with respect to the expected goals. Producing the target part of a mac_do(4)’s rule authorizing exactly a specific mdo(1) call could help administrators build mac_do(4) configurations or better understand why some do not work as expected. Integration to the audit(4) subsystem would allow tracking credentials changes after the fact. Logging failed attempts through syslog(3) would match what login(1) and other credentials-changing program do. mac_do(4) will soon allow configuring the executables whose processes it will consider, with the aim to support thin-jails scenarios and other userland programs24. It should also monitor traditional system calls such as setuid(2) in addition to just setcred(2), considering each call as a full transition on its own24.

Longer term, we may consider providing su-like and doas-like functionalities, e.g., to ask for a password or perhaps more generally leveraging pam(3), establish resource limits and other attributes as in a full login, or allow only certain commands to be launched. However, it is not yet clear how these functionalities could be fit into mdo(1), as it is not a “setuid executable”, and if different paths should be pursued instead.

People making use of mdo(1) should definitely let the creators know, even just so they know that someone out there is using it! But that final paragraph did not sit well with me: trying to make mdo(1) more featureful so it becomes "the FreeBSD doas" seems quite contrary to the niche mdo(1) currently occupies. I believe many users would like a native equivalent of doas(1) - or at least, I'm sure I'm not alone in this - but I wouldn't want mdo(1) to be shoehorned into the role just because users call for one. Instead of reinventing the wheel I'd much rather see doas(1) imported properly, and mdo(1) allowed to evolve in its own direction without pressure to fulfil a role it wasn't intended for.

 

[scottro]

Doesn't opendoas do persistance? I think it does on Linux. (and I don't know its disadvantages).

 

[fernandel]

Doesn't opendoas do persistance? I think it does on Linux. (and I don't know its disadvantages).

Your link of opendoas said:

"Description:
This is a port of OpenDoas, which in itself is a port of OpenBSD's doas forLinux and MacOS. OpenDoas unlike OpenBSD's doas supports persist on FreeBSD(and Linux + MacOS)."