Playing with mdo(1)

[elephant]

A bit overkill, but this works as a sudo-ish replacement.

Assuming (as root):

root@host: $ id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)

... then set this rule where xxxx is your ordinary user's ID.

root@host: $ sysctl security.mac.do.rules='uid=xxxx>uid=0,gid=0,+gid=0,gid=5,+gid=5'

Then as the ordinary user ...

ordinary@host: $ mdo -u root whoami
root

Apparently, 'root' is the default so you can omit the '-u' clause for a shorter syntax.

ordinary@host: $ mdo whoami
root

Edit: I've switched to a slightly shortened version:

root@host: $ sysctl security.mac.do.rules='uid=xxxx>uid=0,gid=0,+gid=0,+gid=5'

 

[elephant]

I have mixed feelings on this. It's smaller, simpler. But ... there's no logging to /var/log/auth.log.

 

[vyryls]

I wish security/doas was in base.

The config is as easy as

permit :wheel

or similar.

 

[0mp]

root@host: $ sysctl security.mac.do.rules='id=xxxx>id=0,gid=0,+gid=0,gid=5,+gid=5'

This command is invalid. At the very least, it should use "uid" instead of "id".

 

[scottro]

vermaden has a post about this. https://vermaden.wordpress.com/2026/03/01/uplift-privileges-on-freebsd/

 

[elephant]

This command is invalid. At the very least, it should use "uid" instead of "id".

Great catch! Thanks 0mp. I have edited the post.

 

[fernandel]

A bit overkill, but this works as a sudo-ish replacement.

Assuming (as root):

root@host: $ id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)

... then set this rule where xxxx is your ordinary user's ID.

root@host: $ sysctl security.mac.do.rules='uid=xxxx>uid=0,gid=0,+gid=0,gid=5,+gid=5'

Then as the ordinary user ...

ordinary@host: $ mdo -u root whoami
root

Apparently, 'root' is the default so you can omit the '-u' clause for a shorter syntax.

ordinary@host: $ mdo whoami
root

My setup is:
/etc/config.sys /etc/sysctl.conf

security.mac.do.enabled
security.mac.do.rules='gid=0>uid=0'

and in /boot/loader.conf:

mac_do_load="YES"

https://freebsdfoundation.org/our-w...redentials-transitions-with-mdo1-and-mac_do4/

 

[vermaden]

My setup is:
/etc/config.sys

What are your autoexec.bat contents then?

 

[fernandel]

https://freebsdfoundation.org/our-w...redentials-transitions-with-mdo1-and-mac_do4/

What are your autoexec.bat contents then?

Many Moon were passed and I forgot. I think I had
PATH C:\DOS
SET SOUND=C:\SB16

 

[elephant]

Our typos are a way to make sure you're paying attention.

 

[vermaden]

https://freebsdfoundation.org/our-w...redentials-transitions-with-mdo1-and-mac_do4/

Many Moon were passed and I forgot. I think I had
PATH C:\DOS
SET SOUND=C:\SB16

These are mine 'latest' contents from about 2000 when I was using them

autoexec.bat

SET TEMP=F:\TEMP
LH C:\CDROM\MSCDEX /D:MSCD000
mode con codepage prepare=((852) C:\WINDOWS\COMMAND\ega.cpi)
mode con codepage select=852
keyb pl,,C:\WINDOWS\COMMAND\keybrd4.sys

config.sys

DEVICE=C:\WINDOWS\setver.exe
device=C:\WINDOWS\COMMAND\display.sys con=(ega,,1)
Country=048,852,C:\WINDOWS\COMMAND\country.sys
LASTDRIVE=Z
DEVICEHIGH=C:\CDROM\GSCDROM.SYS /D:MSCD000 /v

 

[fernandel]

These are mine 'latest' contents from about 2000 when I was using them

autoexec.bat

SET TEMP=F:\TEMP
LH C:\CDROM\MSCDEX /D:MSCD000
mode con codepage prepare=((852) C:\WINDOWS\COMMAND\ega.cpi)
mode con codepage select=852
keyb pl,,C:\WINDOWS\COMMAND\keybrd4.sys

config.sys

DEVICE=C:\WINDOWS\setver.exe
device=C:\WINDOWS\COMMAND\display.sys con=(ega,,1)
Country=048,852,C:\WINDOWS\COMMAND\country.sys
LASTDRIVE=Z
DEVICEHIGH=C:\CDROM\GSCDROM.SYS /D:MSCD000 /v

Thank you. It refreshed my memory and I remember when I deleted sytem file on Saturday and I didn't made a system flopy disk, ha ha.

 

[vermaden]

I have mixed feelings on this. It's smaller, simpler. But ... there's no logging to /var/log/auth.log.

Seems not.

I asked here but no reply:

- https://lists.freebsd.org/archives/freebsd-hackers/2026-March/006002.html

 

[RussellASC]

I generally prefer to use SSH and keys to change user/perms, as opposed to sudo. Unfortunately openssh refuses to log the command that was run.

 

[fernandel]

A bit overkill, but this works as a sudo-ish replacement.

Assuming (as root):

root@host: $ id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)

... then set this rule where xxxx is your ordinary user's ID.

root@host: $ sysctl security.mac.do.rules='uid=xxxx>uid=0,gid=0,+gid=0,gid=5,+gid=5'

Then as the ordinary user ...

ordinary@host: $ mdo -u root whoami
root

Apparently, 'root' is the default so you can omit the '-u' clause for a shorter syntax.

ordinary@host: $ mdo whoami
root

and my settings in /etc/sysctl.conf are security.mac.do.rules='gid=0>uid=0'
and if I run for example mdo -i pkg update and when is done I stay in as user but if I run
pkg -i than I am roo and I need to logout.
Are my settings correct?

 

[scottro]

That seems to be what I find as well. I do it in an alacritty terminal and just close that terminal afterwards. For my particular workflow that seems the easiest.

EDIT:
Actually not exactly. In that same terminal, I can just type exit and I'm back at my usual user.

 

[elephant]

fernandel That's interesting. The '-i' option does not work for me.

$ mdo -i pkg update
mdo: setcred(): Operation not permitted

However, this works:

$ mdo pkg update
Updating FreeBSD-ports repository catalogue...
FreeBSD-ports repository is up to date.
Updating FreeBSD-ports-kmods repository catalogue...
FreeBSD-ports-kmods repository is up to date.
All repositories are up to date.

My rules are as posted above.

 

[elephant]

I thought this noteworthy:

id(1) with -p can tell me the login id. This survives mdo(1).

$ id -p
uid ordinary
groups wheel webcamd ordinary
$ mdo id -p
login ordinary
uid root
groups wheel operator
$ mdo mdo id -p
login ordinary
uid root
groups wheel operator

 

[fernandel]

My user is member of Wheel and Operator group. Did you try my settings?

 

[scottro]

elephant (like that name, by the way), I can't duplicate your issue.
mdo -i pkg update
works fine for me.

My user is a member of wheel,video, and vboxusers (which I'll remove when I get around to it as I've switched to bhyve).

Hrmm, if I try mdo id -p I get

mdo: setcred(): Operation not permitted
And doing mdo -i then doing id -p gives me

login user
uid root
groups wheel video vboxusers user

 

[elephant]

fernandel's rule maps anyone in the wheel group to root. I did not want something so broad so I map only one uid to root. I also made sure the resulting groups were comparable to logging in as root. I will try fernandel's rule set next.

Edit: I wasn't able to do anything with the rule 'gid=0>uid=0'. This returned a setcred failure each time.

scottro what is your rule set?

 

[elephant]

Oh wow.

These give me a new shell. I have to type 'exit' to return.
mdo -u root
mdo

Restoring my rule set 'uid=1001>uid=0,gid=0,gid=5,+gid=0,+gid=5'

These work:
mdo pkg update
mdo -u root pkg update

These do not:
mdo -i pkg update
mdo -k pkg update

That quirk aside, since I don't use the '-i' switch, mdo(1) works fine for me.

I don't think I have an adequate understanding of what the man page is trying to tell me about -i and -k.

 

[scottro]

elephant my rules are
security.mac.do.rules='gid=0>uid=0

 

[elephant]

scottro fernandel what is your login id's primary group? I went so far as to add my login to the operator group to more closely match fernandel's login. My primary group is not wheel. I still get setcred failures. Edit: I can only use -i or -k as root.

 

[fernandel]

mdo -i
whoami
root
id -p
login user
uid root
groups wheel operator video user

In the user shell: Please, check next msg