From owner-freebsd-net@FreeBSD.ORG Wed Jun 22 16:09:40 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EEEA816A41C for ; Wed, 22 Jun 2005 16:09:40 +0000 (GMT) (envelope-from molter@tin.it) Received: from vsmtp12.tin.it (vsmtp12.tin.it [212.216.176.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9783843D55 for ; Wed, 22 Jun 2005 16:09:40 +0000 (GMT) (envelope-from molter@tin.it) Received: from gattaccio.codalunga (82.122.224.189) by vsmtp12.tin.it (7.0.027) (authenticated as molter@tin.it) id 429D6B560084DBBD; Wed, 22 Jun 2005 18:09:38 +0200 Received: by gattaccio.codalunga (Postfix, from userid 1001) id 2E42CC4C9; Wed, 22 Jun 2005 18:08:41 +0200 (CEST) Date: Wed, 22 Jun 2005 18:08:41 +0200 From: Marco Molteni To: xtremejames183@msn.com, freebsd-net@freebsd.org Message-Id: <20050622180841.56be8f27.molter@tin.it> In-Reply-To: <20050622151406.GG791@empiric.icir.org> References: <20050622151406.GG791@empiric.icir.org> X-Mailer: Sylpheed version 1.0.4 (GTK+ 1.2.10; i386-portbld-freebsd6.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: Subject: Re: www user than root X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jun 2005 16:09:41 -0000 On Wed, 22 Jun 2005 16:14:06 +0100 Bruce M Simpson wrote: > On Wed, Jun 22, 2005 at 05:01:17PM +0200, Mrad James Deane wrote: > > hello i want to know how the www user with uid:80 can print on a > > priviliged port like 80 rather the root user im very in trouble i > > did not find a solution yet mac_portacl is one but it is very > > experimental please help. thanks > > I think you may have meant 'bind' rather than 'print' here? > > Anyway, the way they used to do this back in the day on Linux at least > was to hack the socket code to allow binds to privileged ports by > certain users/groups rather than relying solely on the super-user > check. > > You could do something like this in FreeBSD 5-STABLE by hacking the > in_pcbbind_setup() function in src/sys/netinet/in_pcb.c to not just > call suser_cred(), but to instead perform a group check, by calling > groupmember(some_privileged_socket_group, cred). I think that the following sysctls do the trick molter@gattaccio[~]$ sysctl net|grep reserv net.inet.ip.portrange.reservedhigh: 1023 net.inet.ip.portrange.reservedlow: 0 marco