Date: Mon, 11 Oct 2021 19:21:46 +0300 From: Yuri <yuri@aetern.org> To: Freebsd hackers list <freebsd-hackers@FreeBSD.org> Subject: Re: Possible to start the process with setuid while allowing it to listen on privileged ports? Message-ID: <fe2be9d9-471d-7771-2688-47f5e7ee36f5@aetern.org> In-Reply-To: <6e98975c-34e5-246f-5b86-700b5f847815@rawbw.com> References: <6e98975c-34e5-246f-5b86-700b5f847815@rawbw.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Yuri wrote: > Normal way to do this is for the application to first listen on the port > and then setuid. > > > My question is about the situation when the application isn't willing to > do this. > > > The project author says that setuid is too difficult in Go and Linux > allows to do this through systemd: > > https://github.com/coredns/coredns/issues/4917#issuecomment-939892548 > > > Can in FreeBSD the process be run as a regular user but still be allowed > to bind to privileged ports? Quoting ip(4): --- The range of privileged ports which only may be opened by root-owned processes may be modified by the net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh sysctl settings. The values default to the traditional range, 0 through IPPORT_RESERVED-1 (0 through 1023), respectively. Note that these settings do not affect and are not accounted for in the use or calculation of the other net.inet.ip.portrange values above. Changing these values departs from UNIX tradition and has security consequences that the administrator should carefully evaluate before modifying these settings. ---
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fe2be9d9-471d-7771-2688-47f5e7ee36f5>