Playing with mdo(1)

fernandel · Mar 17, 2026

Code:

id -p
uid user
groups wheel operator video user
 mdo -i pkg update
Updating FreeBSD-ports repository catalogue...
FreeBSD-ports repository is up to date.
Updating FreeBSD-ports-kmods repository catalogue...
FreeBSD-ports-kmods repository is up to date.
All repositories are up to date.
id -p
uid    user
groups    wheel operator video user

elephant · Mar 17, 2026

fernandel said:
Code:

id -p

Thanks fernandel . I can't tell your primary group by the output of 'id -p'. With plain 'id', it looks like this:

 $ id

uid=1001(ordinary) gid=1001(ordinary) groups=0(wheel),145(webcamd),1001(ordinary)

Edit: does 'mdo pkg update' work for you? (eg. without the '-i' switch)

fernandel · Wednesday at 9:13 AM

Code:

id
uid=1001(user) gid=1001(user) groups=0(wheel),5(operator),44(video),1001(user)

Code:

 mdo pkg upgrade                                                                
mdo: setcred(): Operation not permitted

elephant · Wednesday at 9:41 AM

Thanks fernandel ! That's crazy. I'm experiencing the opposite where 'mdo' works but 'mdo -i' does not.

fernandel · Wednesday at 9:51 AM

elephant said:
Thanks fernandel ! That's crazy. I'm experiencing the opposite where 'mdo' works but 'mdo -i' does not.

I do not know if is important that is user in operator group? Mine is but yours is not.

scottro · Wednesday at 10:01 AM

elephant my results (this was on the first page of the thread.)

For your earlier question.

mdo -i
root@scott2 scottro $ whoami
root
root@scott2 scottro $ id -p
login scottro
uid root
groups wheel video vboxusers scottro

elephant · Wednesday at 10:22 AM

fernandel said:
I do not know if is important that is user in operator group? Mine is but yours is not.

As mentioned earlier - I added (and later removed) my login from the operator group. It made no difference.

fernandel · Wednesday at 10:27 AM

When you run sysctl security.mac.do.rules='gid=0>uid=0' what happened when you run as user mdo -i something?

elephant · Wednesday at 10:39 AM

fernandel that works but I have to specify '-i' everytime and -u no longer works.

If I take your rule and append gid=0,+gid=0,gid=5,+gid=5 then I no longer need '-i'.

Note that both clauses (gid=xxx and +gid=xxx) for wheel and operator need to be specified this way or it doesn't work.

I think this paragraph from the man page may be a clue:

The target process credentials have to be fully specified, either explicitly by listing all attributes and their requested values, or indirectly by establishing a baseline that provides a default value for each attribute, which can be amended by additional options.

The rule I gave explicitly defines the target credentials while fernandel's example requires '-i' (implicit?) to infer the target credentials.