Date: Mon, 20 Aug 2018 09:04:50 -0600 From: Ian Lepore <ian@freebsd.org> To: Stefan Bethke <stb@lassitu.de>, FreeBSD Stable <freebsd-stable@freebsd.org> Subject: Re: Bind to port <1024 in jail Message-ID: <1534777490.27158.47.camel@freebsd.org> In-Reply-To: <75536186-7D58-498C-BFC6-9284EB7CB444@lassitu.de> References: <75536186-7D58-498C-BFC6-9284EB7CB444@lassitu.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 2018-08-20 at 16:47 +0200, Stefan Bethke wrote: > I have a Go program (acme-dns) that wants to bind 53, 80, and 443, > and I’d rather have it run as a non-privileged user. The program > doesn’t provide a facility to drop privs after binding the ports. I’m > planning to run it in a jail. > > After some googling, it appears that a couple of years ago I should > have been able to do: > sysctl net.inet.ip.portrange.reservedhigh=0 > and allow all processes to bind to „low“ ports. This does not work in > my jails on a 11-stable host. > > $ sudo sysctl net.inet.ip.portrange.reservedhigh=0 > net.inet.ip.portrange.reservedhigh: 1023 > sysctl: net.inet.ip.portrange.reservedhigh=0: Operation not permitted > > Securelevel should not interfere: > $ sysctl kern.securelevel > kern.securelevel: -1 > > Is there a way to allow regular processes to bind to low ports? > > > Stefan > You might be able to set up a specific local userid for this process, then use mac_portacl(4) to allow it to bind to those ports. I'm not certain that works inside a jail, however. -- Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1534777490.27158.47.camel>