mdo —
execute commands with specific
credentials
mdo |
[-u user |
-k] [-i]
[-g group]
[-G group1,group2,...]
[-s
groups_mod1,groups_mod2,...]
[-h] [--ruid
user] [--svuid
user] [--euid
user] [--rgid
group] [--svgid
group] [--egid
group] [--] [command
[args ...]] |
The mdo utility executes the passed
command with the requested process credentials or, if
no command was specified, the program whose path is
the value of the SHELL environment variable or
/bin/sh if that variable is unset. The calling user
must either be the superuser (effective user ID of 0) or the credentials
transition from the caller's to the requested ones must be authorized by a
MAC module such as
mac_do(4). The target process credentials are applied
atomically using
setcred(2).
Process credentials comprise the real, effective and saved user
IDs, the real, effective and saved group IDs, hereby called the
“primary” groups, and the supplementary groups as a set of
group IDs. Below, the “user” phrase implies that the real,
effective and saved user IDs all have or are going to be set to the same
value. The “primary group” phrase is used similarly with
respect to primary groups.
The target process credentials have to be fully specified, either
explicitly by listing all attributes and their requested values, or
indirectly by establishing a baseline that provides a default value for each
attribute, which can then be amended by additional options.
Possible baselines are either the full set of credentials
established at login for a specific named user, the current credentials, or
the current credentials' primary and supplementary groups which implies some
user is specified explicitly. They are respectively established by using
either option -u with a named user argument, option
-k, or option -i in
conjunction with -u or no other options. If no other
option than -i appears, a default of
-u root is implied.
The primary group can be set or amended with option
-g, whereas the supplementary groups can be either
fully replaced with an explicit list using option -G
or amended through set-like operations with option
-s.
Any of the individual real, effective and saved user and group IDs
can be overridden separately if desired through the options
--ruid, --euid, and
--svuid for users, and
--rgid, --egid, and
--svgid for groups respectively.
The options are:
--euid
user
- Override the effective user. As for
-u,
user may either be a name or a numerical ID.
--egid
group
- Override the effective group. As for
-g,
group may either be a name or a numerical ID.
-G
group1,group2,...
- Set or replace the full set of supplementary groups. As for
-g, groups can be specified by name or numerical
ID. Groups must be separated by commas, and spaces around commas are not
allowed.
-g
group
- Set or amend the primary group. group may be the
name of a group in the group database, else will be interpreted as a
numerical group ID.
-h
- Display usage information and exit.
-i
- Uses the current credentials' primary and supplementary groups as the
baseline. If no other option is present, the target user is assumed to be
“root”. Otherwise,
-u or
-k must be specified.
-k
- Use the current credentials as the baseline. Incompatible with
-u. Implies -i.
--ruid
user
- Override the real user. As for
-u,
user may either be a name or a numerical ID.
--rgid
group
- Override the real group. As for
-g,
group may either be a name or a numerical ID.
-s
groups_mod1,groups_mod2,...
- Incrementally modify the supplementary groups set. The argument is a
comma-separated list of directives:
@
- Reset the set to the empty set. When present, must be the first
directive.
+group
- Include a group.
-group
- Exclude a group.
If -G is also specified, -s
applies on the list installed by it. In this case, the
@ directive cannot be used (this limitation may be
lifted in the future).
--svuid
user
- Override the saved user. As for
-u,
user may either be a name or a numerical ID.
--svgid
group
- Override the saved group. As for
-g,
group may either be a name or a numerical ID.
-u
user
- Specify a target user. If user is the name of some
user in the user database, this option establishes his full login
credentials, as specified by the user and group databases, as the
baseline. Else, user is interpreted as a numerical
user ID, and that ID is used to set the target user only.
Run a command as another user:
Run with explicit primary and supplementary groups:
mdo -u 1001 -g wheel -G staff,operator /bin/sh
Modify only supplementary groups for the current user:
mdo -k -s +wheel,+operator /usr/bin/id
Emulate the effect of a set-user-ID bit on the process image file,
assuming its user ID is “root”:
mdo -k --euid root --svuid root id
The mdo command first appeared in
FreeBSD 14.2.
Support for specifying or amending groups, group-only transitions
and fine-grained control of real, effective and saved variants of user and
primary group first appeared in FreeBSD 15.0.
The mdo program was originally created by
Baptiste Daroussin
<bapt@FreeBSD.org>.
It was modified to use the
setcred(2) system call by Olivier
Certner
<olce@FreeBSD.org>,
who designed the group-related and
fine-grained-control-of-target-credentials functionalities and supervised
Kushagra Srivastava
<kushagra1403@gmail.com>
to add them during Google Summer of Code 2025.
The mdo program is geared to role-based
scenarios. Consequently, it does not ask for any password or request other
form of authentication before trying to establish new credentials, instead
relying solely on the requester's credentials for this purpose.
Specific unprivileged uses may be enabled by using the
mac_do(4) security policy.