Date: Mon, 11 Oct 2021 21:41:23 +0300 From: Yuri <yuri@aetern.org> To: hackers@freebsd.org Subject: Re: Possible to start the process with setuid while allowing it to listen on privileged ports? Message-ID: <774b0a05-c67e-89b9-885d-1a6e1212ee9c@aetern.org> In-Reply-To: <dbfaf2da-4be0-2c64-47e-30c2e2bc33f1@maxim.int.ru> References: <6e98975c-34e5-246f-5b86-700b5f847815@rawbw.com> <dbfaf2da-4be0-2c64-47e-30c2e2bc33f1@maxim.int.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Maxim Konovalov wrote: > On Mon, 11 Oct 2021, 08:50-0700, Yuri wrote: > >> Normal way to do this is for the application to first listen on the port and >> then setuid. >> >> My question is about the situation when the application isn't willing to do >> this. >> >> The project author says that setuid is too difficult in Go and Linux allows to >> do this through systemd: >> >> https://github.com/coredns/coredns/issues/4917#issuecomment-939892548 >> >> Can in FreeBSD the process be run as a regular user but still be allowed to >> bind to privileged ports? >> > This could be possible to implement with mac_portacl(4). mac_portacl(4) seems to be limited by the sysctls I mentioned in another reply: --- port Describes which port this entry applies to. NOTE: MAC security policies may not override other security system policies by allowing accesses that they may deny, such as net.inet.ip.portrange.reservedlow / net.inet.ip.portrange.reservedhigh. --- In addition to linux/systemd, solaris also allows this through its privilege framework (PRIV_NET_PRIVADDR). Wonder if we have something similar?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?774b0a05-c67e-89b9-885d-1a6e1212ee9c>