handbook/security: document mdo(1) for privilege escalation

Add a new section covering mdo(1), the built-in FreeBSD utility for
executing commands as a different user via the mac_do(4) MAC module.
The section covers loading the kernel module, configuring rules via
sysctl, and basic usage examples.

mdo requires no package installation unlike sudo or doas, and is
part of the base system's MAC framework.

PR: 293535

Author: kovan

documentation/content/en/books/handbook/security/_index.adoc

@@ -4,7 +4,7 @@ part: Part III. System Administration
 prev: books/handbook/boot
 next: books/handbook/jails
 description: Hundreds of standard practices have been authored about how to secure systems and networks, and as a user of FreeBSD, understanding how to protect against attacks and intruders is a must
-tags: ["security", "TCP Wrappers", "Kerberos", "OpenSSL", "OpenSSH", "ACL", "NFSv4 ACLs", "advisories", "sudo", "doas", "capsicum", "monitoring"]
+tags: ["security", "TCP Wrappers", "Kerberos", "OpenSSL", "OpenSSH", "ACL", "NFSv4 ACLs", "advisories", "sudo", "doas", "mdo", "capsicum", "monitoring"]
 showBookMenu: true
 weight: 20
 params:
@@ -410,6 +410,61 @@ $ doas vi /etc/rc.conf
 
 For more configuration examples, please read man:doas.conf[5].
 
+[[security-mdo]]
+=== Shared Administration with mdo
+
+man:mdo[1] is a built-in FreeBSD utility for executing commands as a different user.
+Unlike man:sudo[8] and man:doas[1], mdo requires no additional package installation.
+It uses the man:mac_do[4] kernel module, which is part of the FreeBSD Mandatory Access Control (MAC) framework.
+
+To use mdo, first load the man:mac_do[4] kernel module:
+
+[source,shell]
+....
+# kldload mac_do
+....
+
+To load the module at boot, add it to [.filename]#/etc/rc.conf#:
+
+[source,shell]
+....
+kld_list="${kld_list} mac_do"
+....
+
+Rules are configured via man:sysctl[8].
+Add the following to [.filename]#/etc/sysctl.conf# to enable mdo and define transition rules:
+
+[.programlisting]
+....
+security.mac.do.enabled=1
+security.mac.do.rules=gid=0>uid=0
+....
+
+The rule `gid=0>uid=0` allows members of the `wheel` group (GID 0) to execute commands as `root` (UID 0).
+Multiple rules are separated by semicolons.
+For example, to also allow user with UID 1000 to run commands as the `www` user:
+
+[.programlisting]
+....
+security.mac.do.rules=gid=0>uid=0;uid=1000>uid=80,gid=80
+....
+
+After configuration, commands can be executed with elevated privileges:
+
+[source,shell]
+....
+$ mdo vi /etc/rc.conf
+....
+
+To start an interactive root shell:
+
+[source,shell]
+....
+$ mdo -i
+....
+
+For more information, see man:mdo[1] and man:mac_do[4].
+
 [[security-ids]]
 == Intrusion Detection System (IDS)