From owner-freebsd-stable@freebsd.org Mon Aug 20 15:02:06 2018 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 13E601070DC5 for ; Mon, 20 Aug 2018 15:02:06 +0000 (UTC) (envelope-from stb@lassitu.de) Received: from gilb.zs64.net (gilb.zs64.net [IPv6:2a00:14b0:4200:32e0::1ea]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "gilb.zs64.net", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AB84271447 for ; Mon, 20 Aug 2018 15:02:05 +0000 (UTC) (envelope-from stb@lassitu.de) Received: by gilb.zs64.net (Postfix, from stb@lassitu.de) id C09D21EFDAB; Mon, 20 Aug 2018 15:02:04 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Subject: Re: Bind to port <1024 in jail From: Stefan Bethke In-Reply-To: <6bfc8608-946d-39eb-cc57-88b3dc3bd7c5@grosbein.net> Date: Mon, 20 Aug 2018 17:02:03 +0200 Cc: FreeBSD Stable Content-Transfer-Encoding: quoted-printable Message-Id: <89646FDB-F1A9-4070-87EC-22C0CFAFF4E7@lassitu.de> References: <75536186-7D58-498C-BFC6-9284EB7CB444@lassitu.de> <6bfc8608-946d-39eb-cc57-88b3dc3bd7c5@grosbein.net> To: Eugene Grosbein X-Mailer: Apple Mail (2.3445.9.1) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2018 15:02:06 -0000 Am 20.08.2018 um 16:59 schrieb Eugene Grosbein : >=20 > 20.08.2018 21:47, Stefan Bethke wrote: >=20 >> I have a Go program (acme-dns) that wants to bind 53, 80, and 443, = and I=E2=80=99d rather have it run as a non-privileged user. The = program doesn=E2=80=99t provide a facility to drop privs after binding = the ports. I=E2=80=99m planning to run it in a jail. >>=20 >> After some googling, it appears that a couple of years ago I should = have been able to do: >> sysctl net.inet.ip.portrange.reservedhigh=3D0 >> and allow all processes to bind to =E2=80=9Elow=E2=80=9C ports. This = does not work in my jails on a 11-stable host. >>=20 >> $ sudo sysctl net.inet.ip.portrange.reservedhigh=3D0 >> net.inet.ip.portrange.reservedhigh: 1023 >> sysctl: net.inet.ip.portrange.reservedhigh=3D0: Operation not = permitted >>=20 >> Securelevel should not interfere: >> $ sysctl kern.securelevel >> kern.securelevel: -1 >>=20 >> Is there a way to allow regular processes to bind to low ports? >=20 > Yes. Just use mac_portacl kernel module: kldload mac_portacl >=20 > Once loaded, it duplicates net.inet.ip.portrange.reservedhigh = protection > with its own security.mac.portacl.port_high, so it's safe to disable > "reservedhigh" for whole system by running sysctl = net.inet.ip.portrange.reservedhigh=3D0 > for host. >=20 > The trick is that mac_portacl provides a way to selectively give = permission for non-root UID > to bind low ports: >=20 > = security.mac.portacl.rules=3Duid:88:tcp:80,uid:88:tcp:443,uid:53:tcp:53,ui= d:53:udp:53 >=20 > It works just fine for a host and I use it for name servers utilizing = port 53 > for a box with dynamically created interfaces, so it may bind the port = for distinct IP addresses > after it dropped privilegies when new interface is created and get new = IP assigned. >=20 > I have not tried it for a jails, though. Please try and respond. Thanks, but do I understand correctly that the = security.mac.portacl.rules are system-wide and not per-jail? I=E2=80=99m running ~10 jails on this host, and I don=E2=80=99t want to = allow all of them to bind to low ports. Stefan --=20 Stefan Bethke Fon +49 151 14070811