I’ve been replacing sudo/doas on most of my FreeBSD boxes with something much smaller: mdo(1) + mac_do(4) from base.
No port. No sudoers parser. No setuid helper. Just a kernel MAC policy, a sysctl
from Larvitz@burningboard.net to (none) on 18 May 09:19
https://burningboard.net/users/Larvitz/statuses/116596486603862834
from Larvitz@burningboard.net to (none) on 18 May 09:19
https://burningboard.net/users/Larvitz/statuses/116596486603862834
I’ve been replacing sudo/doas on most of my FreeBSD boxes with something much smaller: mdo(1) + mac_do(4) from base.
No port. No sudoers parser. No setuid helper. Just a kernel MAC policy, a sysctl rule, and an explicit “SSH is the gate” security model.
Wrote up the full walkthrough for FreeBSD 15, including rule syntax, examples, caveats, and my surrounding hardening sysctls:
https://blog.hofstede.it/mdo-on-freebsd-15-base-system-privilege-delegation-with-mac_do/
threaded - newest