How to manage multiple uid/gid in mac.seeotheruids.specificgid

RTFM 15.5.1. The MAC See Other UIDs Policy
Module name: mac_seeotheruids.ko

Kernel configuration line: options MAC_SEEOTHERUIDS

Boot option: mac_seeotheruids_load="YES"

The mac_seeotheruids(4) module extends the security.bsd.see_other_uids and security.bsd.see_other_gids sysctl tunables. This option does not require any labels to be set before configuration and can operate transparently with other modules.

After loading the module, the following sysctl tunables may be used to control its features:
  • security.mac.seeotheruids.enabled enables the module and implements the default settings which deny users the ability to view processes and sockets owned by other users.
  • security.mac.seeotheruids.specificgid_enabled allows specified groups to be exempt from this policy. To exempt specific groups, use the security.mac.seeotheruids.specificgid=XXX sysctl tunable, replacing XXX with the numeric group ID to be exempted.
  • security.mac.seeotheruids.primarygroup_enabled is used to exempt specific primary groups from this policy. When using this tunable, security.mac.seeotheruids.specificgid_enabled may not be set.
EDIT IMHO that's not possible. Would be more or less easy to patch, but for the time beeing I see no other choice than to create a (one) group for that and add the users in question to this group. Or you use some existing group, e.g. staff or operator.
2nd EDIT: Consider filing in a bug report on the handbook. It says "groups" instead of "one specific group", which is misleading.
 
I have enabled options MAC_SEEOTHERUIDS in my kernel
Code: 
#Hide UID and GID from other users,except gid 900 (admin)
security.mac.seeotheruids.specificgid=900
security.mac.seeotheruids.specificgid_enabled=1
So only processes with gid 900 can have access, I want add multiple gids to be allowed. Is it possible ?
 
You must log in or register to reply here.
Back
Top