From owner-freebsd-stable@freebsd.org Mon Aug 20 15:04:54 2018 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6BEC610711DC for ; Mon, 20 Aug 2018 15:04:54 +0000 (UTC) (envelope-from ian@freebsd.org) Received: from outbound2r.ore.mailhop.org (outbound2r.ore.mailhop.org [54.200.129.228]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F0F6A71801 for ; Mon, 20 Aug 2018 15:04:53 +0000 (UTC) (envelope-from ian@freebsd.org) X-MHO-RoutePath: aGlwcGll X-MHO-User: 62fe64d6-a48a-11e8-904b-1d2e466b3c59 X-Report-Abuse-To: https://support.duocircle.com/support/solutions/articles/5000540958-duocircle-standard-smtp-abuse-information X-Originating-IP: 67.177.211.60 X-Mail-Handler: DuoCircle Outbound SMTP Received: from ilsoft.org (unknown [67.177.211.60]) by outbound2.ore.mailhop.org (Halon) with ESMTPSA id 62fe64d6-a48a-11e8-904b-1d2e466b3c59; Mon, 20 Aug 2018 15:04:51 +0000 (UTC) Received: from rev (rev [172.22.42.240]) by ilsoft.org (8.15.2/8.15.2) with ESMTP id w7KF4oqx088141; Mon, 20 Aug 2018 09:04:50 -0600 (MDT) (envelope-from ian@freebsd.org) Message-ID: <1534777490.27158.47.camel@freebsd.org> Subject: Re: Bind to port <1024 in jail From: Ian Lepore To: Stefan Bethke , FreeBSD Stable Date: Mon, 20 Aug 2018 09:04:50 -0600 In-Reply-To: <75536186-7D58-498C-BFC6-9284EB7CB444@lassitu.de> References: <75536186-7D58-498C-BFC6-9284EB7CB444@lassitu.de> Content-Type: text/plain; charset="iso-8859-13" X-Mailer: Evolution 3.18.5.1 FreeBSD GNOME Team Port Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2018 15:04:54 -0000 On Mon, 2018-08-20 at 16:47 +0200, Stefan Bethke wrote: > I have a Go program (acme-dns) that wants to bind 53, 80, and 443, > and I’d rather have it run as a non-privileged user.  The program > doesn’t provide a facility to drop privs after binding the ports. I’m > planning to run it in a jail. > > After some googling, it appears that a couple of years ago I should > have been able to do: > sysctl net.inet.ip.portrange.reservedhigh=0 > and allow all processes to bind to „low“ ports. This does not work in > my jails on a 11-stable host. > > $ sudo sysctl net.inet.ip.portrange.reservedhigh=0 > net.inet.ip.portrange.reservedhigh: 1023 > sysctl: net.inet.ip.portrange.reservedhigh=0: Operation not permitted > > Securelevel should not interfere: > $ sysctl kern.securelevel > kern.securelevel: -1 > > Is there a way to allow regular processes to bind to low ports? > > > Stefan > You might be able to set up a specific local userid for this process, then use mac_portacl(4) to allow it to bind to those ports. I'm not certain that works inside a jail, however. -- Ian