From owner-freebsd-hackers@FreeBSD.ORG  Wed Jan 11 23:56:00 2012
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5663D1065670
	for <freebsd-hackers@freebsd.org>; Wed, 11 Jan 2012 23:56:00 +0000 (UTC)
	(envelope-from gmnt99@gmail.com)
Received: from mail-yx0-f182.google.com (mail-yx0-f182.google.com
	[209.85.213.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 1A6278FC12
	for <freebsd-hackers@freebsd.org>; Wed, 11 Jan 2012 23:55:59 +0000 (UTC)
Received: by yenm1 with SMTP id m1so714931yen.13
	for <freebsd-hackers@freebsd.org>; Wed, 11 Jan 2012 15:55:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=mime-version:date:message-id:subject:from:to:content-type;
	bh=Lvfah6ORseIYnZf8GtX9F2iRhiHiQkGWOm0z8A8mgFM=;
	b=UYhaqBBM2R8FpKJ7R5AU5zuqyHg4kQZbDawKYRdpTQHGsOujVlFnARozbOpgxc8+gM
	ar+EsSOcW/xOEXww1d2NBjEhhfFEgEty84rSzsF7KNYOzD7p5zhIYoy1sAKaIOqJ2czi
	naIkdTzG6ZAFs4EZYNpDx8Y285N+snOh7R33Y=
MIME-Version: 1.0
Received: by 10.236.93.4 with SMTP id k4mr1254495yhf.114.1326324391330; Wed,
	11 Jan 2012 15:26:31 -0800 (PST)
Received: by 10.100.88.15 with HTTP; Wed, 11 Jan 2012 15:26:31 -0800 (PST)
Date: Wed, 11 Jan 2012 23:26:31 +0000
Message-ID: <CAD+_bPxs7fc=n6HYTtNKwUXLu9kC8KL+i8P9XvTQbtddicKMRQ@mail.gmail.com>
From: Gerald McNulty <gmnt99@gmail.com>
To: freebsd-hackers@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: Assigning the PRIV_NETINET_BINDANY privilege required for
	setsockopt(IP_BINDANY)
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jan 2012 23:56:00 -0000

Hello,

Using IP_BINDANY to facilitate transparent proxying works as specified.
According the ip(4) man page and sys/netinet/ip_output.c, the
PRIV_NETINET_BINDANY privilege is required in order to make a setsockopt()
call with IP_BINDANY.

I would like to use this in an app that does not run as uid 0. Is it
possible to assign the PRIV_NETINET_BINDANY privilege to a specific uid or
process or can this mechanism only be used in jails to reduce root
privileges further?

Thank you

--
Gerald McNulty