Date: Tue, 13 Oct 2015 19:46:09 +0100 From: Matt Smith <fbsd@xtaz.co.uk> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: setsockopt Operation not permitted as non-root user Message-ID: <20151013184609.GD90075@xtaz.uk>
next in thread | raw e-mail | index | archive | help
I'm running net/sslh in transparent mode using IPFW to forward packets to/from it. This works fine with no issues but I have to run it as root. I was wondering if there is any way to use this running as a non-root user. When I try this I get the following error: sslh-select[35325]: setsockopt IP_BINDANY:1:Operation not permitted I was thinking I could maybe use mac_portacl(4) to allow this but it doesn't seem to work. I tried setting security.mac.portacl.rules to uid:65534:tcp:423,uid:65534:tcp:444 and set net.inet.ip.portrange.reservedhigh to 0. I still get the same error. The reason I'm using those ports is because of the IPFW rules: ipfw add 00020 fwd 10.0.0.10,4444 tcp from 192.168.1.0/24 to 10.0.0.10 443 in via re0 ipfw add 00021 fwd 10.0.0.10,4444 tcp from 10.0.0.10 423,444 to 192.168.1.0/24 out via re0 192.168.1.0/24 isn't the actual network I'm using, but you get the jist. And I have openssh and a webserver listening on 423 and 444, with sslh on port 4444. Alternatively Linux appears to have something called capabilities and specifically CAP_NET_ADMIN where it appears you can give the process enough extra privedges to do this itself. I assume the equivalent on FreeBSD is mac_portacl though? -- Matt
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20151013184609.GD90075>