I’ve been replacing sudo/doas on most of my FreeBSD boxes with something much smaller: mdo(1) + mac_do(4) from base.
-
I’ve been replacing sudo/doas on most of my FreeBSD boxes with something much smaller: mdo(1) + mac_do(4) from base.
No port. No sudoers parser. No setuid helper. Just a kernel MAC policy, a sysctl rule, and an explicit “SSH is the gate” security model.
Wrote up the full walkthrough for FreeBSD 15, including rule syntax, examples, caveats, and my surrounding hardening sysctls:
mdo on FreeBSD 15: Base-System Privilege Delegation with mac_do
FreeBSD 15 ships mdo(1) and the mac_do(4) policy module in the base system. It replaces sudo and doas for most of my hosts, needs no ports, and configures wi...
Larvitz Blog (blog.hofstede.it)
-
I’ve been replacing sudo/doas on most of my FreeBSD boxes with something much smaller: mdo(1) + mac_do(4) from base.
No port. No sudoers parser. No setuid helper. Just a kernel MAC policy, a sysctl rule, and an explicit “SSH is the gate” security model.
Wrote up the full walkthrough for FreeBSD 15, including rule syntax, examples, caveats, and my surrounding hardening sysctls:
mdo on FreeBSD 15: Base-System Privilege Delegation with mac_do
FreeBSD 15 ships mdo(1) and the mac_do(4) policy module in the base system. It replaces sudo and doas for most of my hosts, needs no ports, and configures wi...
Larvitz Blog (blog.hofstede.it)
@Larvitz Thanks for this, mdo is exactly what I was looking for. One question regarding your net.link.bridge.pfil_* recommendation: pf on my hosts filters on the bridge interface (1) instead of the member interfaces (0) - what are the advantages of turning this setup around?
-
I’ve been replacing sudo/doas on most of my FreeBSD boxes with something much smaller: mdo(1) + mac_do(4) from base.
No port. No sudoers parser. No setuid helper. Just a kernel MAC policy, a sysctl rule, and an explicit “SSH is the gate” security model.
Wrote up the full walkthrough for FreeBSD 15, including rule syntax, examples, caveats, and my surrounding hardening sysctls:
mdo on FreeBSD 15: Base-System Privilege Delegation with mac_do
FreeBSD 15 ships mdo(1) and the mac_do(4) policy module in the base system. It replaces sudo and doas for most of my hosts, needs no ports, and configures wi...
Larvitz Blog (blog.hofstede.it)
@Larvitz really interesting, thank you for the writeup!
-
R relay@relay.publicsquare.global shared this topic
-
I’ve been replacing sudo/doas on most of my FreeBSD boxes with something much smaller: mdo(1) + mac_do(4) from base.
No port. No sudoers parser. No setuid helper. Just a kernel MAC policy, a sysctl rule, and an explicit “SSH is the gate” security model.
Wrote up the full walkthrough for FreeBSD 15, including rule syntax, examples, caveats, and my surrounding hardening sysctls:
mdo on FreeBSD 15: Base-System Privilege Delegation with mac_do
FreeBSD 15 ships mdo(1) and the mac_do(4) policy module in the base system. It replaces sudo and doas for most of my hosts, needs no ports, and configures wi...
Larvitz Blog (blog.hofstede.it)
@Larvitz great write up! Definitely bookmarked here! Thank you!
-
@feld thank you for pointing that out. Article is updated with a note. I attributed you in the top of the article for the helpful feedback!
