Date: Mon, 20 Aug 2018 14:59:16 +0000 From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: "Stefan Bethke" <stb@lassitu.de> Cc: "FreeBSD Stable" <freebsd-stable@freebsd.org> Subject: Re: Bind to port <1024 in jail Message-ID: <D9F9531F-6EB5-44F9-B8F3-523C0C2E0E44@lists.zabbadoz.net> In-Reply-To: <75536186-7D58-498C-BFC6-9284EB7CB444@lassitu.de> References: <75536186-7D58-498C-BFC6-9284EB7CB444@lassitu.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On 20 Aug 2018, at 14:47, Stefan Bethke wrote: > I have a Go program (acme-dns) that wants to bind 53, 80, and 443, and > I’d rather have it run as a non-privileged user. The program > doesn’t provide a facility to drop privs after binding the ports. > I’m planning to run it in a jail. > > After some googling, it appears that a couple of years ago I should > have been able to do: > sysctl net.inet.ip.portrange.reservedhigh=0 > and allow all processes to bind to „low“ ports. This does not work > in my jails on a 11-stable host. > > $ sudo sysctl net.inet.ip.portrange.reservedhigh=0 > net.inet.ip.portrange.reservedhigh: 1023 > sysctl: net.inet.ip.portrange.reservedhigh=0: Operation not permitted > > Securelevel should not interfere: > $ sysctl kern.securelevel > kern.securelevel: -1 > > Is there a way to allow regular processes to bind to low ports? you have to set it on the base system; alternatively with vnet you might be able to change it per-jail. /bz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D9F9531F-6EB5-44F9-B8F3-523C0C2E0E44>