From owner-freebsd-net@FreeBSD.ORG  Wed Jun 22 15:14:19 2005
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 164A716A41C
	for <freebsd-net@freebsd.org>; Wed, 22 Jun 2005 15:14:19 +0000 (GMT)
	(envelope-from bms@spc.org)
Received: from arginine.spc.org (arginine.spc.org [83.167.185.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CD7C143D1F
	for <freebsd-net@freebsd.org>; Wed, 22 Jun 2005 15:14:18 +0000 (GMT)
	(envelope-from bms@spc.org)
Received: from localhost (localhost [127.0.0.1])
	by arginine.spc.org (Postfix) with ESMTP
	id E86316530A; Wed, 22 Jun 2005 16:14:17 +0100 (BST)
Received: from arginine.spc.org ([127.0.0.1])
	by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024)
	with LMTP id 75751-02-7; Wed, 22 Jun 2005 16:14:17 +0100 (BST)
Received: from empiric.dek.spc.org (host81-136-156-39.in-addr.btopenworld.com
	[81.136.156.39])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by arginine.spc.org (Postfix) with ESMTP
	id 2773565218; Wed, 22 Jun 2005 16:14:17 +0100 (BST)
Received: by empiric.dek.spc.org (Postfix, from userid 1001)
	id 6A05861F0; Wed, 22 Jun 2005 16:14:06 +0100 (BST)
Date: Wed, 22 Jun 2005 16:14:06 +0100
From: Bruce M Simpson <bms@spc.org>
To: Mrad James Deane <xtremejames183@msn.com>
Message-ID: <20050622151406.GG791@empiric.icir.org>
Mail-Followup-To: Mrad James Deane <xtremejames183@msn.com>,
	freebsd-net@freebsd.org
References: <BAY11-F12EF48C9216082BFB35A7B9CEB0@phx.gbl>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <BAY11-F12EF48C9216082BFB35A7B9CEB0@phx.gbl>
Cc: freebsd-net@freebsd.org
Subject: Re: www user than root
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jun 2005 15:14:19 -0000

On Wed, Jun 22, 2005 at 05:01:17PM +0200, Mrad James Deane wrote:
> hello i want to know how the www user with uid:80 can print on a priviliged 
> port like 80 rather the root user  im very in trouble i did not find a 
> solution yet mac_portacl is one but it is very experimental please help.
> thanks

I think you may have meant 'bind' rather than 'print' here?

Anyway, the way they used to do this back in the day on Linux at least was
to hack the socket code to allow binds to privileged ports by certain
users/groups rather than relying solely on the super-user check.

You could do something like this in FreeBSD 5-STABLE by hacking the
in_pcbbind_setup() function in src/sys/netinet/in_pcb.c to not just
call suser_cred(), but to instead perform a group check, by calling
groupmember(some_privileged_socket_group, cred).

Regards,
BMS