Table of Contents Table of Contents What mdo Actually Is Enabling mac_do Loader configuration Rule configuration The Rule Language Persisting versus live Day-to-Day Use Where mdo Is Not the Right Tool Optional: The Hardening Block Around It Wrap Almost every FreeBSD install I touch grows a security/sudo or security/doas package within the first ten minutes. It is reflex at this point. The pattern is: install base, create an admin user, pkg install sudo, drop a file in sudoers.d, move on. Modern FreeBSD quietly makes that habit unnecessary. mdo(1) and its backing policy module mac_do(4) are in the base system. There is no package to install, no extra repository to trust, no second parser to keep current. The whole thing is one kernel module, one sysctl with a rule string, and a tiny userland command. On the hosts I have migrated, it has replaced sudo entirely. mdo(1) first appeared in FreeBSD 14.2; the group-related and fine-grained credential controls used below are FreeBSD 15.0-era…
No comments yet. Log in to reply on the Fediverse. Comments will appear here.