https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=290140
Olivier Certner <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|regression | Status|New |Closed Assignee|[email protected] |[email protected] Resolution|--- |Works As Intended --- Comment #4 from Olivier Certner <[email protected]> --- Hi, The "new syntax" (well, we are just talking about the ":" => ">" change) works as the old (and as you noted, ":" is still accepted). Effectively, ">" is a special character to the shell and you have to quote it. Obviously, this drawback was considered when changing the separator between the from/to parts of a rule, but was then deemed a minor inconvenience compared to having a more readable rule specification (":" is very much associated to path separation in UNIX, and catches the eye too much IMO, whereas this is not the separator between rules but just inside rules between parts; and ">" is supposed to evoke an arrow, helping visualize the authorized transition). The plan was to deprecate ":" at some point (that's why it was removed from the documentation; not before 16 in any case), but if people absolutely prefer ":", we can as well keep it indefinitely. The "Operation not permitted" you are observing is perfectly normal (and it is not a regression). As explained in the manual page, if you specify a clause with type "gid" in the "to" part of a rule, then no default are applied for groups and you get what you asked for. In your example, only 0 is allowed for primary groups (real, effective, saved variants) and *no supplementary groups* are allowed at all. This is not going to work on regular installations, where 'root' is a member of the 'wheel' and 'operator' supplementary groups. So what you want instead if you want to be very-fine grained is: sysctl security.mac.do.rules='uid=1001>uid=0,gid=0,+gid=0,+gid=5' -- You are receiving this mail because: You are the assignee for the bug.
