Larvitz 6h ago

I’ve been replacing sudo/doas on most of my FreeBSD boxes with something much smaller: mdo(1) + mac_do(4) from base.

No port. No sudoers parser. No setuid helper. Just a kernel MAC policy, a sysctl rule, and an explicit “SSH is the gate” security model.

Wrote up the full walkthrough for FreeBSD 15, including rule syntax, examples, caveats, and my surrounding hardening sysctls:

https://blog.hofstede.it/mdo-on-freebsd-15-base-system-privilege-delegation-with-mac_do/

#FreeBSD #runbsd #mdo #mac_do #sysadmin #security

mdo on FreeBSD 15: Base-System Privilege Delegation with mac_do

FreeBSD 15 ships mdo(1) and the mac_do(4) policy module in the base system. It replaces sudo and doas for most of my hosts, needs no ports, and configures with a single sysctl. This article walks t...

Larvitz Blog
ERROR 404 ▼Oct 5, 2025
⭕À #Saint-Denis, des militants bloquent le #Mac_Do en soutien à la #Palestine. 🎥 #RevPermanente