From owner-freebsd-stable@freebsd.org  Mon Aug 20 14:47:22 2018
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id D30A510705A3
 for <freebsd-stable@mailman.ysv.freebsd.org>;
 Mon, 20 Aug 2018 14:47:22 +0000 (UTC) (envelope-from stb@lassitu.de)
Received: from gilb.zs64.net (gilb.zs64.net [IPv6:2a00:14b0:4200:32e0::1ea])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "gilb.zs64.net", Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 7768670650
 for <freebsd-stable@freebsd.org>; Mon, 20 Aug 2018 14:47:22 +0000 (UTC)
 (envelope-from stb@lassitu.de)
Received: by gilb.zs64.net (Postfix, from stb@lassitu.de) id 8FCAD1EFCC0
 for <freebsd-stable@freebsd.org>; Mon, 20 Aug 2018 14:47:20 +0000 (UTC)
From: Stefan Bethke <stb@lassitu.de>
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Subject: Bind to port <1024 in jail
Message-Id: <75536186-7D58-498C-BFC6-9284EB7CB444@lassitu.de>
Date: Mon, 20 Aug 2018 16:47:18 +0200
To: FreeBSD Stable <freebsd-stable@freebsd.org>
X-Mailer: Apple Mail (2.3445.9.1)
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, 
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Aug 2018 14:47:23 -0000

I have a Go program (acme-dns) that wants to bind 53, 80, and 443, and =
I=E2=80=99d rather have it run as a non-privileged user.  The program =
doesn=E2=80=99t provide a facility to drop privs after binding the =
ports. I=E2=80=99m planning to run it in a jail.

After some googling, it appears that a couple of years ago I should have =
been able to do:
sysctl net.inet.ip.portrange.reservedhigh=3D0
and allow all processes to bind to =E2=80=9Elow=E2=80=9C ports. This =
does not work in my jails on a 11-stable host.

$ sudo sysctl net.inet.ip.portrange.reservedhigh=3D0
net.inet.ip.portrange.reservedhigh: 1023
sysctl: net.inet.ip.portrange.reservedhigh=3D0: Operation not permitted

Securelevel should not interfere:
$ sysctl kern.securelevel
kern.securelevel: -1

Is there a way to allow regular processes to bind to low ports?


Stefan

--=20
Stefan Bethke <stb@lassitu.de>   Fon +49 151 14070811