Date: Thu, 2 Oct 2008 19:52:55 GMT From: Rene Ladan <rene@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 150813 for review Message-ID: <200810021952.m92JqtAt012925@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=150813 Change 150813 by rene@rene_self on 2008/10/02 19:52:40 Fix some nits in revision 1.73 of the MAC chapter, propagate the changes to the Dutch version where applicable. Checked build (nl + en). Affected files ... .. //depot/projects/docproj_nl/en_US.ISO8859-1/books/handbook/mac/chapter.sgml#5 edit .. //depot/projects/docproj_nl/nl_NL.ISO8859-1/books/handbook/mac/chapter.sgml#9 edit Differences ... ==== //depot/projects/docproj_nl/en_US.ISO8859-1/books/handbook/mac/chapter.sgml#5 (text+ko) ==== @@ -700,7 +700,7 @@ implement the labeling feature, including the Biba, Lomac, <acronym>MLS</acronym> and <acronym>SEBSD</acronym> policies.</para> - + <para>In many cases, the <option>multilabel</option> may not need to be set at all. Consider the following situation and security model:</para> @@ -967,12 +967,6 @@ <screen>&prompt.root; <userinput>ugidfw add subject not uid root new object not uid root mode n</userinput></screen> - <note> - <para>In releases prior to &os; 5.3, the - <parameter>add</parameter> parameter did not exist. In those - cases the <parameter>set</parameter> should be used - instead. See below for a command example.</para></note> - <para>This is a very bad idea as it will block all users from issuing even the most simple commands, such as <command>ls</command>. A more patriotic list of rules @@ -1427,6 +1421,7 @@ company information, and financial institution environments. The most unlikely place would be a personal workstation with only two or three users.</para> + </sect2> </sect1> <sect1 id="mac-biba"> @@ -1552,7 +1547,7 @@ to.</para> <para>The &man.mac.biba.4; security policy module permits an - administrator to address which files and programs a user or + administrator to address which files and programs a user or users may see and invoke while assuring that the programs and files are free from threats and trusted by the system for that user, or group of users.</para> @@ -1570,7 +1565,7 @@ utilities. While other users would be grouped into other categories such as testers, designers, or just ordinary users and would only be permitted read access.</para> - + <para>With its natural security control, a lower integrity subject is unable to write to a higher integrity subject; a higher integrity subject cannot observe or read a lower integrity @@ -1733,7 +1728,7 @@ <username>www</username> users into the insecure class:</para> <screen>&prompt.root; <userinput>pw usermod nagios -L insecure</userinput></screen> - <screen>&prompt.root; <userinput>pw usermod www -L insecure</userinput></screen> + <screen>&prompt.root; <userinput>pw usermod www -L insecure</userinput></screen> </sect2> <sect2> @@ -1887,7 +1882,7 @@ &man.mac.seeotheruids.4; could co-exist and block access not only to system objects but to hide user processes as well. - <para>Begin by adding the following lines to + <para>Begin by adding the following line to <filename>/boot/loader.conf</filename>:</para> <programlisting>mac_seeotheruids_enabled="YES"</programlisting> @@ -2032,9 +2027,10 @@ <sect2> <title>Error: &man..secure.path.3; cannot stat <filename>.login_conf</filename></title> - <para>When I attempt to switch from the <username>root</username> + <para>When I attempt to switch from the <username>root</username> user to another user in the system, the error message - <errorname>_secure_path: unable to state .login_conf</errorname>.</para> + <errorname>_secure_path: unable to state .login_conf</errorname> + appears.</para> <para>This message is usually shown when the user has a higher label setting then that of the user whom they are attempting to ==== //depot/projects/docproj_nl/nl_NL.ISO8859-1/books/handbook/mac/chapter.sgml#9 (text+ko) ==== @@ -1066,13 +1066,6 @@ <screen>&prompt.root; <userinput>ugidfw add subject not uid root new object not uid root mode n</userinput></screen> - <note><!--(rene) dit verwijderen, ook in en_US versie (1.73, regel 970)--> - <para>In versies voor &os; 5.3 bestond de parameter - <parameter>add</parameter> niet. In die gevallen dient in - plaats daarvan <parameter>set</parameter> gebruikt te worden - als in het onderstaande voorbeeld.</para> - </note> - <para>Dit is een slecht idee, omdat het voorkomt dat alle gebruikers ook maar het meest eenvoudige commando kunnen uitvoeren, zoals <command>ls</command>. Een betere lijst met @@ -1534,7 +1527,7 @@ instellingen zijn. De meest onwaarschijnlijke plaats zou een persoonlijk werkstation met slechts twee of drie gebruikers zijn.</para> - </sect2> <!--(rene) ontbreekt in en_US 1.73 ?--> + </sect2> </sect1> <sect1 id="mac-biba"> @@ -1865,7 +1858,7 @@ /dev biba/equal /dev/* biba/equal -/var biba/equal <!--(rene) ws-fout in en_US 1.73 ?--> +/var biba/equal /var/spool biba/equal /var/spool/* biba/equal @@ -1999,8 +1992,8 @@ met &man.mac.seeotheruids.4; naast elkaar bestaan en zowel toegang tot systeemobjecten als tot gebruikersprocessen ontzeggen.</para> - <para>Begin door de volgende regels aan - <filename>/boot/loader.conf</filename> toe te voegen:</para><!--(rene) dit is maar 1 regel? en_US 1.73 --> + <para>Begin door de volgende regel aan + <filename>/boot/loader.conf</filename> toe te voegen:</para> <programlisting>mac_seeotheruids_enabled="YES"</programlisting> @@ -2142,7 +2135,7 @@ <para>Bij het wisselen van <username>root</username> naar een andere gebruiker in het systeem, verschijnt de foutmelding - <errorname>_secure_path: unable to state .login_conf</errorname>.</para><!--(rene) Engelse tekst klopt niet 1.73--> + <errorname>_secure_path: unable to state .login_conf</errorname>.</para> <para>Deze melding komt meestal voor als de gebruiker een hogere labelinstelling heeft dan de gebruiker waarnaar wordt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200810021952.m92JqtAt012925>