Nicolas MASSE
2024-06-04 14:47:50 UTC
Hello,
At my company, we are working on a generic mac module. Its purpose is to grant some users a set of privileges in order to run their services.
For example, it can be configured in order to allow the ntp user to set the system clock (PRIV_CLOCK_SETTIME), or allow a process to change its user or groups (PRIV_CRED_SET[UID|GID|GROUPS), restricting them to some allowed values.
After reading the discussions around the mac_do module, I was wondering if other people could be interested in such a more generic module.
Even though it doesn't do the exact same thing, it still has a lot in common with mac_do while extending its capabilities.
So far, it is still a work in progress so we don't have code to share yet. Though I think it'd be interesting to speak about the idea.
I can explain further how we plan to do this if any of you is interested.
Regards,
Nicolas Masse
At my company, we are working on a generic mac module. Its purpose is to grant some users a set of privileges in order to run their services.
For example, it can be configured in order to allow the ntp user to set the system clock (PRIV_CLOCK_SETTIME), or allow a process to change its user or groups (PRIV_CRED_SET[UID|GID|GROUPS), restricting them to some allowed values.
After reading the discussions around the mac_do module, I was wondering if other people could be interested in such a more generic module.
Even though it doesn't do the exact same thing, it still has a lot in common with mac_do while extending its capabilities.
So far, it is still a work in progress so we don't have code to share yet. Though I think it'd be interesting to speak about the idea.
I can explain further how we plan to do this if any of you is interested.
Regards,
Nicolas Masse