<![CDATA[I’ve been replacing sudo/doas on most of my FreeBSD boxes with something much smaller: mdo(1) + mac_do(4) from base.]]>I’ve been replacing sudo/doas on most of my FreeBSD boxes with something much smaller: mdo(1) + mac_do(4) from base.

No port. No sudoers parser. No setuid helper. Just a kernel MAC policy, a sysctl rule, and an explicit “SSH is the gate” security model.

Wrote up the full walkthrough for FreeBSD 15, including rule syntax, examples, caveats, and my surrounding hardening sysctls:

Link Preview Image
mdo on FreeBSD 15: Base-System Privilege Delegation with mac_do

FreeBSD 15 ships mdo(1) and the mac_do(4) policy module in the base system. It replaces sudo and doas for most of my hosts, needs no ports, and configures wi...

favicon

Larvitz Blog (blog.hofstede.it)

]]>https://board.circlewithadot.net/topic/ba4e50eb-7d46-4386-af08-d6c99f288ec5/i-ve-been-replacing-sudo-doas-on-most-of-my-freebsd-boxes-with-something-much-smaller-mdo-1-mac_do-4-from-base.RSS for NodeMon, 25 May 2026 20:44:59 GMTMon, 18 May 2026 16:19:54 GMT60<![CDATA[Reply to I’ve been replacing sudo/doas on most of my FreeBSD boxes with something much smaller: mdo(1) + mac_do(4) from base. on Mon, 18 May 2026 19:36:40 GMT]]>@feld thank you for pointing that out. Article is updated with a note. I attributed you in the top of the article for the helpful feedback!

]]>https://board.circlewithadot.net/post/https://burningboard.net/users/Larvitz/statuses/116597260345107687https://board.circlewithadot.net/post/https://burningboard.net/users/Larvitz/statuses/116597260345107687Mon, 18 May 2026 19:36:40 GMT<![CDATA[Reply to I’ve been replacing sudo/doas on most of my FreeBSD boxes with something much smaller: mdo(1) + mac_do(4) from base. on Mon, 18 May 2026 19:14:43 GMT]]>@Larvitz great write up! Definitely bookmarked here! Thank you!

]]>https://board.circlewithadot.net/post/https://ruby.social/users/vito/statuses/116597174038969021https://board.circlewithadot.net/post/https://ruby.social/users/vito/statuses/116597174038969021Mon, 18 May 2026 19:14:43 GMT<![CDATA[Reply to I’ve been replacing sudo/doas on most of my FreeBSD boxes with something much smaller: mdo(1) + mac_do(4) from base. on Mon, 18 May 2026 19:11:30 GMT]]>@Larvitz really interesting, thank you for the writeup!

]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/adamshostack/statuses/116597161385097295https://board.circlewithadot.net/post/https://infosec.exchange/users/adamshostack/statuses/116597161385097295Mon, 18 May 2026 19:11:30 GMT<![CDATA[Reply to I’ve been replacing sudo/doas on most of my FreeBSD boxes with something much smaller: mdo(1) + mac_do(4) from base. on Mon, 18 May 2026 18:14:32 GMT]]>@Larvitz Thanks for this, mdo is exactly what I was looking for. One question regarding your net.link.bridge.pfil_* recommendation: pf on my hosts filters on the bridge interface (1) instead of the member interfaces (0) - what are the advantages of turning this setup around?

]]>https://board.circlewithadot.net/post/https://social.eden.one/users/jan/statuses/116596937327630119https://board.circlewithadot.net/post/https://social.eden.one/users/jan/statuses/116596937327630119Mon, 18 May 2026 18:14:32 GMT