From nobody Mon Oct 11 15:56:22 2021 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 1C3A417F8AC0 for ; Mon, 11 Oct 2021 15:56:36 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from udns.ultimatedns.net (static-24-113-41-81.wavecable.com [24.113.41.81]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "ultimatedns.net", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HSk1b4W81z3NvL; Mon, 11 Oct 2021 15:56:35 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from ultimatedns.net (localhost [127.0.0.1]) by udns.ultimatedns.net (8.16.1/8.16.1) with ESMTP id 19BFuMqE064808; Mon, 11 Oct 2021 08:56:28 -0700 (PDT) (envelope-from bsd-lists@bsdforge.com) List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 Date: Mon, 11 Oct 2021 08:56:22 -0700 From: Chris To: Yuri Cc: Freebsd hackers list Subject: Re: Possible to start the process with setuid while allowing it to listen on privileged ports? In-Reply-To: <6e98975c-34e5-246f-5b86-700b5f847815@rawbw.com> References: <6e98975c-34e5-246f-5b86-700b5f847815@rawbw.com> User-Agent: UDNSMS/17.0 Message-ID: <1db5aa695aac2b6a0b5bf4bd3b553af5@bsdforge.com> X-Sender: bsd-lists@bsdforge.com Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4HSk1b4W81z3NvL X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-ThisMailContainsUnwantedMimeParts: N On 2021-10-11 08:50, Yuri wrote: > Normal way to do this is for the application to first listen on the port and > then setuid. > > > My question is about the situation when the application isn't willing to do > this. > > > The project author says that setuid is too difficult in Go and Linux allows > to do > this through systemd: > > https://github.com/coredns/coredns/issues/4917#issuecomment-939892548 > > > Can in FreeBSD the process be run as a regular user but still be allowed to > bind > to privileged ports? Doesn't (X)org do this? If I'm right, maybe there's a clue there? HTH --Chris > > > Thanks, > > Yuri