diff --git a/share/man/man4/Makefile b/share/man/man4/Makefile
--- a/share/man/man4/Makefile
+++ b/share/man/man4/Makefile
@@ -288,6 +288,7 @@
 	mac_biba.4 \
 	mac_bsdextended.4 \
 	mac_ddb.4 \
+	mac_do.4 \
 	mac_ifoff.4 \
 	mac_ipacl.4 \
 	mac_lomac.4 \
diff --git a/share/man/man4/mac_do.4 b/share/man/man4/mac_do.4
new file mode 100644
--- /dev/null
+++ b/share/man/man4/mac_do.4
@@ -0,0 +1,60 @@
+.\" SPDX-License-Identifier: BSD-2-Clause
+.\"
+.\" Copyright (c) 2024 Baptiste Daroussin <bapt@FreeBSD.org>
+.Dd May 9, 2024
+.Dt MAC_DO 4
+.Os
+.Sh NAME
+.Nm mac_do
+.Nd "policy allowing user to execute program as another user"
+.Sh SYNOPSIS
+To compile the mac_do policy into your kernel, place the following lines
+in your kernel configruation file:
+.Bd -ragged -offset indent
+.Cd "options MAC"
+.Cd "options MAC_DO"
+.Ed
+.Pp
+.Sh DESCRIPTION
+The
+.Nm
+policy grants some user the ability to run process as another user
+according to rules.
+.Pp
+The exact set of kernel privileges granted are:
+.Bl -inset -compact -offset indent
+.It Dv PRIV_CRED_SETGROUPS
+.It Dv PROV_CRET_SETUID
+.El
+The following
+.Xr sysctl 8
+MIBs are available:
+.Bl -tag -width indent
+.It Va security.mac.do.enabled
+Enable the
+.Nm
+policy.
+(Default: 1).
+.It Va security.mac.do.rules
+The set of rules.
+.El
+.Pp
+The rules consist in a list of element separated by
+.So , Sc .
+Each elements is in the following form
+.Dq [uid|gid]=<fid>:<tid>
+Where
+.Ar fid
+is the uid or the gid depending on the modifier specicied of the users allowed
+to become
+.Ar tid . and
+.Ar tid is the uid of the targetted user.
+2 special form are accepted for
+.Ar tid :
+.Va any
+or
+.Va *
+which allows to target any users.
+.Sh SEE ALSO
+.Xr mac 4 ,
+.Xr mdo 1
diff --git a/sys/modules/Makefile b/sys/modules/Makefile
--- a/sys/modules/Makefile
+++ b/sys/modules/Makefile
@@ -226,6 +226,7 @@
 	${_mac_biba} \
 	${_mac_bsdextended} \
 	${_mac_ddb} \
+	${_mac_do} \
 	${_mac_ifoff} \
 	${_mac_ipacl} \
 	${_mac_lomac} \
@@ -587,6 +588,7 @@
 .if ${KERN_OPTS:MDDB} || defined(ALL_MODULES)
 _mac_ddb=	mac_ddb
 .endif
+_mac_do=	mac_do
 _mac_ifoff=	mac_ifoff
 _mac_ipacl=	mac_ipacl
 _mac_lomac=	mac_lomac
diff --git a/sys/modules/mac_do/Makefile b/sys/modules/mac_do/Makefile
new file mode 100644
--- /dev/null
+++ b/sys/modules/mac_do/Makefile
@@ -0,0 +1,6 @@
+.PATH: ${SRCTOP}/sys/security/mac_do
+
+KMOD=	mac_do
+SRCS=	mac_do.c
+
+.include <bsd.kmod.mk>
diff --git a/sys/security/mac_do/mac_do.c b/sys/security/mac_do/mac_do.c
new file mode 100644
--- /dev/null
+++ b/sys/security/mac_do/mac_do.c
@@ -0,0 +1,311 @@
+/*
+ * SPDX-License-Identifier: BSD-2-Clause
+ *
+ * Copyright(c) 2024 Baptiste Daroussin <bapt@FreeBSD.org
+ */
+
+#include <sys/param.h>
+#include <sys/kernel.h>
+#include <sys/module.h>
+#include <sys/socket.h>
+#include <sys/sysctl.h>
+#include <sys/systm.h>
+#include <sys/ucred.h>
+#include <sys/lock.h>
+#include <sys/mutex.h>
+#include <sys/priv.h>
+
+#include <security/mac/mac_policy.h>
+
+SYSCTL_DECL(_security_mac);
+
+static SYSCTL_NODE(_security_mac, OID_AUTO, do,
+    CTLFLAG_RW|CTLFLAG_MPSAFE, 0, "mac_do policy controls");
+
+static int	do_enabled = 1;
+SYSCTL_INT(_security_mac_do, OID_AUTO, enabled, CTLFLAG_RWTUN,
+    &do_enabled, 0, "Enforce do policy");
+
+static MALLOC_DEFINE(M_DO, "do_rule", "Rules for mac_do");
+
+#define MAC_RULE_STRING_LEN	1024
+
+static struct mtx	rule_mtx;
+static char		rule_string[MAC_RULE_STRING_LEN];
+
+#define RULE_UID	1
+#define RULE_GID	2
+#define RULE_ANY	3
+
+struct rule {
+	int	from_type;
+	union {
+		uid_t f_uid;
+		gid_t f_gid;
+	};
+	int	to_type;
+	uid_t t_uid;
+	TAILQ_ENTRY(rule) r_entries;
+};
+
+static TAILQ_HEAD(rulehead, rule)	rule_head;
+
+static void
+toast_rules(struct rulehead *head)
+{
+	struct rule *r;
+
+	while ((r = TAILQ_FIRST(head)) != NULL) {
+		TAILQ_REMOVE(head, r, r_entries);
+		free(r, M_DO);
+	}
+}
+
+static int
+parse_rule_element(char *element, struct rule **rule)
+{
+	int error = 0;
+	char *type, *id, *p;
+	struct rule *new;
+
+	new = malloc(sizeof(*new), M_DO, M_ZERO|M_WAITOK);
+
+	type = strsep(&element, "=");
+	if (type == NULL) {
+		error = EINVAL;
+		goto out;
+	}
+	if (strcmp(type, "uid") == 0) {
+		new->from_type = RULE_UID;
+	} else if (strcmp(type, "gid") == 0) {
+		new->from_type = RULE_GID;
+	} else {
+		error = EINVAL;
+		goto out;
+	}
+	id = strsep(&element, ":");
+	if (id == NULL) {
+		error = EINVAL;
+		goto out;
+	}
+	if (new->from_type == RULE_UID)
+		new->f_uid = strtol(id, &p, 10);
+	if (new->from_type == RULE_GID)
+		new->f_gid = strtol(id, &p, 10);
+	if (*p != '\0') {
+		error = EINVAL;
+		goto out;
+	}
+	if (*element == '\0') {
+		error = EINVAL;
+		goto out;
+	}
+	if (strcmp(element, "any") == 0 || strcmp(element, "*") == 0) {
+		new->to_type = RULE_ANY;
+	} else {
+		new->to_type = RULE_UID;
+		new->t_uid = strtol(element, &p, 10);
+		if (*p != '\0') {
+			error = EINVAL;
+			goto out;
+		}
+	}
+out:
+	if (error != 0) {
+		free(new, M_DO);
+		*rule = NULL;
+	} else
+		*rule = new;
+	return (error);
+}
+
+static int
+parse_rules(char *string, struct rulehead *head)
+{
+	struct rule *new;
+	char *element;
+	int error = 0;
+
+	while ((element = strsep(&string, ",")) != NULL) {
+		if (strlen(element) == 0)
+			continue;
+		error = parse_rule_element(element, &new);
+		if (error)
+			goto out;
+		TAILQ_INSERT_TAIL(head, new, r_entries);
+	}
+out:
+	if (error != 0)
+		toast_rules(head);
+	return (error);
+}
+
+static int
+sysctl_rules(SYSCTL_HANDLER_ARGS)
+{
+	char *copy_string, *new_string;
+	struct rulehead head, saved_head;
+	int error;
+
+	if (req->newptr == NULL)
+		return (sysctl_handle_string(oidp, rule_string, MAC_RULE_STRING_LEN, req));
+
+	new_string = malloc(MAC_RULE_STRING_LEN, M_DO,
+	    M_WAITOK|M_ZERO);
+	mtx_lock(&rule_mtx);
+	strcpy(new_string, rule_string);
+	mtx_unlock(&rule_mtx);
+
+	error = sysctl_handle_string(oidp, new_string, MAC_RULE_STRING_LEN, req);
+	if (error)
+		goto out;
+
+	copy_string = strdup(new_string, M_DO);
+	TAILQ_INIT(&head);
+	error = parse_rules(copy_string, &head);
+	free(copy_string, M_DO);
+	if (error)
+		goto out;
+	TAILQ_INIT(&saved_head);
+	mtx_lock(&rule_mtx);
+	TAILQ_CONCAT(&saved_head, &rule_head, r_entries);
+	TAILQ_CONCAT(&rule_head, &head, r_entries);
+	strcpy(rule_string, new_string);
+	mtx_unlock(&rule_mtx);
+	toast_rules(&saved_head);
+
+out:
+	free(new_string, M_DO);
+	return (error);
+}
+
+SYSCTL_PROC(_security_mac_do, OID_AUTO, rules,
+    CTLTYPE_STRING|CTLFLAG_RW|CTLFLAG_MPSAFE,
+    0, 0, sysctl_rules, "A",
+    "Rules");
+
+static void
+destroy(struct mac_policy_conf *mpc)
+{
+	mtx_destroy(&rule_mtx);
+	toast_rules(&rule_head);
+}
+
+static void
+init(struct mac_policy_conf *mpc)
+{
+	mtx_init(&rule_mtx, "rule_mtx", NULL, MTX_DEF);
+	TAILQ_INIT(&rule_head);
+}
+
+static bool
+rule_is_valid(struct ucred *cred, struct rule *r)
+{
+	if (r->from_type == RULE_UID && r->f_uid == cred->cr_uid)
+		return (true);
+	if (r->from_type == RULE_GID && r->f_gid == cred->cr_gid)
+		return (true);
+	return (false);
+}
+
+static int
+priv_grant(struct ucred *cred, int priv)
+{
+	struct rule *r;
+
+	if (do_enabled == 0)
+		return (EPERM);
+
+	mtx_lock(&rule_mtx);
+	TAILQ_FOREACH(r, &rule_head, r_entries) {
+		if (rule_is_valid(cred, r)) {
+			switch (priv) {
+			case PRIV_CRED_SETGROUPS:
+			case PRIV_CRED_SETUID:
+				mtx_unlock(&rule_mtx);
+				return (0);
+			default:
+				break;
+			}
+		}
+	}
+	mtx_unlock(&rule_mtx);
+	return (EPERM);
+}
+
+static int
+check_setgroups(struct ucred *cred, int ngrp, gid_t *groups)
+{
+	struct rule *r;
+
+	if (do_enabled == 0)
+		return (0);
+	if (cred->cr_uid == 0)
+		return (0);
+	mtx_lock(&rule_mtx);
+	TAILQ_FOREACH(r, &rule_head, r_entries) {
+		if (rule_is_valid(cred, r)) {
+			mtx_unlock(&rule_mtx);
+			return (0);
+		}
+	}
+	mtx_unlock(&rule_mtx);
+
+	return (EPERM);
+}
+
+static int
+check_setuid(struct ucred *cred, uid_t uid)
+{
+	struct rule *r;
+	int error;
+
+	printf("check for %d from %d\n", uid, cred->cr_uid);
+	if (do_enabled == 0)
+		return (0);
+	if (cred->cr_uid == uid || cred->cr_uid == 0)
+		return (0);
+	error = EPERM;
+	mtx_lock(&rule_mtx);
+	TAILQ_FOREACH(r, &rule_head, r_entries) {
+		if (r->from_type == RULE_UID) {
+			if (cred->cr_uid != r->f_uid)
+				continue;
+			if (r->to_type == RULE_ANY) {
+				error = 0;
+				break;
+			}
+			if (r->to_type == RULE_UID && uid == r->t_uid) {
+				error = 0;
+				break;
+			}
+		}
+		if (r->from_type == RULE_GID) {
+			if (cred->cr_gid != r->f_gid)
+				continue;
+			if (r->to_type == RULE_ANY) {
+				error = 0;
+				break;
+			}
+			if (r->to_type == RULE_UID && uid == r->t_uid) {
+				error = 0;
+				break;
+			}
+		}
+	}
+	mtx_unlock(&rule_mtx);
+	return (error);
+}
+
+static struct mac_policy_ops do_ops =
+{
+	.mpo_destroy = destroy,
+	.mpo_init = init,
+	.mpo_cred_check_setuid = check_setuid,
+	.mpo_cred_check_setgroups = check_setgroups,
+	.mpo_priv_grant = priv_grant,
+};
+
+MAC_POLICY_SET(&do_ops, mac_do, "MAC/do",
+   MPC_LOADTIME_FLAG_UNLOADOK, NULL);
+MODULE_VERSION(mac_do, 1);
diff --git a/usr.bin/Makefile b/usr.bin/Makefile
--- a/usr.bin/Makefile
+++ b/usr.bin/Makefile
@@ -87,6 +87,7 @@
 	lzmainfo \
 	m4 \
 	mandoc \
+	mdo \
 	mesg \
 	ministat \
 	mkdep \
diff --git a/usr.bin/mdo/Makefile b/usr.bin/mdo/Makefile
new file mode 100644
--- /dev/null
+++ b/usr.bin/mdo/Makefile
@@ -0,0 +1,4 @@
+PROG=	mdo
+SRCS=	mdo.c
+
+.include <bsd.prog.mk>
diff --git a/usr.bin/mdo/mdo.1 b/usr.bin/mdo/mdo.1
new file mode 100644
--- /dev/null
+++ b/usr.bin/mdo/mdo.1
@@ -0,0 +1,42 @@
+.\" SPDX-License-Identifier: BSD-2-Clause
+.\"
+.\" Copyright(c) 2024 Baptiste Daroussin <bapt@FreeBSD.org
+.Dd May 9, 2024
+.Dt MDO 1
+.Os
+.Sh NAME
+.Nm mdo
+.Nd execute commands as another user
+.Sh SYNOPSIS
+.Nm
+.Op Fl u Ar username
+.Op Fl i
+.Op command Op args
+.Sh DESCRIPTION
+The
+.Nm
+utility executes the specified
+.Ar command
+as user
+.Ar username .
+.Pp
+If no
+.Ar username
+is provided it defaults on the
+.Va root
+user.
+If no
+.Ar command
+is specificied, it will execute the shell specificed as
+.Va SHELL
+environnement variable, falling back on
+.Pa /bin/sh .
+.Pp
+The
+.Fl i
+option can be used to only call
+.Fn setuid
+and keep the group from the calling user.
+.Sh SEE ALSO
+.Xr su 1
+.Xr mac_do 4
diff --git a/usr.bin/mdo/mdo.c b/usr.bin/mdo/mdo.c
new file mode 100644
--- /dev/null
+++ b/usr.bin/mdo/mdo.c
@@ -0,0 +1,76 @@
+/*
+ * SPDX-License-Identifier: BSD-2-Clause
+ *
+ * Copyright(c) 2024 Baptiste Daroussin <bapt@FreeBSD.org
+ */
+
+#include <sys/limits.h>
+
+#include <err.h>
+#include <paths.h>
+#include <pwd.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+static void
+usage(void)
+{
+	fprintf(stderr, "usage: mdo [-u username] [-i] [--] [command [args]]\n");
+	exit(EXIT_FAILURE);
+}
+
+int
+main(int argc, char **argv)
+{
+	struct passwd *pw;
+	const char *username = "root";
+	bool uidonly = false;
+	int ch;
+
+	while ((ch = getopt(argc, argv, "u:i")) != -1) {
+		switch (ch) {
+		case 'u':
+			username = optarg;
+			break;
+		case 'i':
+			uidonly = true;
+			break;
+		default:
+			usage();
+		}
+	}
+	argc -= optind;
+	argv += optind;
+
+	if ((pw = getpwnam(username)) == NULL) {
+		if (strspn(username, "0123456789") == strlen(username)) {
+			const char *errp = NULL;
+			uid_t uid = strtonum(username, 0, UID_MAX, &errp);
+			if (errp != NULL)
+				err(EXIT_FAILURE, "%s", errp);
+			pw = getpwuid(uid);
+		}
+		if (pw == NULL)
+			err(EXIT_FAILURE, "Invalid username '%s'", username);
+	}
+	if (!uidonly) {
+		if (initgroups(pw->pw_name, pw->pw_gid) == -1)
+			err(EXIT_FAILURE, "Impossible to call initgroups");
+		if (setgid(pw->pw_gid) == -1)
+			err(EXIT_FAILURE, "Impossible to call setgid");
+	}
+	if (setuid(pw->pw_uid) == -1)
+		err(EXIT_FAILURE, "Impossible to call setuid");
+	if (*argv == NULL) {
+		const char *sh = getenv("SHELL");
+		if (sh == NULL)
+			sh = _PATH_BSHELL;
+		execlp(sh, sh, "-i", NULL);
+	} else {
+		execvp(argv[0], argv);
+	}
+	err(EXIT_FAILURE, "exec failed");
+}