From nobody Mon Oct 11 18:41:23 2021
X-Original-To: hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 3FB8C17F53D5
	for <hackers@mlmmj.nyi.freebsd.org>; Mon, 11 Oct 2021 18:41:32 +0000 (UTC)
	(envelope-from yuri@aetern.org)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4HSngv24f7z3RBq
	for <hackers@freebsd.org>; Mon, 11 Oct 2021 18:41:31 +0000 (UTC)
	(envelope-from yuri@aetern.org)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
	by mailout.nyi.internal (Postfix) with ESMTP id 079B15C0056
	for <hackers@freebsd.org>; Mon, 11 Oct 2021 14:41:25 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
  by compute3.internal (MEProxy); Mon, 11 Oct 2021 14:41:25 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aetern.org; h=
	message-id:date:mime-version:subject:to:references:from
	:in-reply-to:content-type:content-transfer-encoding; s=fm1; bh=q
	F5Ztm7eYCOcGhQwP0qsXQXiaXkNp41iUPp3wXw8WGM=; b=duz7op3bFw+o4hWZR
	nXrlICZW4l42AXlkBomBdmX1YKgObmHNdLsFgW/Fws48vfQIsE1cgKfRNMmkZFvb
	coxw4MWnaOhaFNCxK3gbq5GJAyK20mSL8BNk7KsATYou3pDxXSv2lm2I284eTyNT
	StZoYcOHt0JzzfAk1RP7f0idXQie0zfqE5crIPIHypHPDmmNwZlt+aMCe6i8OgCl
	P3nMbsmQeOZx40qW1lMHFFYg2tjr8npSs6Y4Q+/Ot8BEqZ8OMXtNxWXUKSOx6uIf
	B3j7Ip1BlhjHtHNhYpqhtXsYskWyhSe1iX/lwebJ6tDawwe5SEb5PN9a1l3BeSd+
	L2eEQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=content-transfer-encoding:content-type
	:date:from:in-reply-to:message-id:mime-version:references
	:subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
	:x-sasl-enc; s=fm1; bh=qF5Ztm7eYCOcGhQwP0qsXQXiaXkNp41iUPp3wXw8W
	GM=; b=nJnp24uIXMVswLqHhS9HnsWdeI3iiW3ZeRGpdZ6MATRKTJ6XOFAz36r+a
	LnonJWBsNZzliOK69vFWIqXdPdxMxsBUrnvaS6nxUFlSi68XvNaEBJ1EkQtNMEl0
	uTRRdczriisxYrkdIeOxXkYN/nDoozqVh296zWiVoduGddQoP4IPG2aWNyxxL6FL
	jKAJ6ir1qTZgZMuPwuwKwcBO5j9R/sAmfIB3T1PZ9UB2hlJZJl1Te6OVWSC0UdGc
	p4sGjssgyNCnWNXR5XV1i7YpB3yZjjhJBL9SRD+m2dLrMHPAEEDf7WnmeCVMwssg
	+Pvykv3/nTPwVDOzLX0BDKTh/60QQ==
X-ME-Sender: <xms:VIVkYT18-_YJsXOeuMa1SqW8OAMvdCGAa5UtzmMXhHAwU2HNh-8l-Q>
    <xme:VIVkYSHQ5NAg1wuoZ1ywjmCK2T5Tz0KNX3oDqNhcPtC2VBJdQCKBYXRFtFU_kaM_A
    B2zUunCmOORSTeZx-g>
X-ME-Received: <xmr:VIVkYT6cNvgivXgsj79OeuujlKM8xKJRQyC-xPDga3LtFRsCvdGegp1Xbe6PtUH2-JQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrvddtiedguddvvdcutefuodetggdotefrod
    ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
    necuuegrihhlohhuthemuceftddtnecunecujfgurhepkfffgggfuffvfhfhjggtgfesth
    ejredttdefjeenucfhrhhomhepjghurhhiuceohihurhhisegrvghtvghrnhdrohhrgheq
    necuggftrfgrthhtvghrnhepffevvdeikefgudfgudekueekvdejieehteevtdehjeevfe
    eigeeghfdvgfelteegnecuffhomhgrihhnpehgihhthhhusgdrtghomhdprhgvshgvrhhv
    vgguhhhighhhrddqqddqihhnnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpe
    hmrghilhhfrhhomhephihurhhisegrvghtvghrnhdrohhrgh
X-ME-Proxy: <xmx:VIVkYY2mq9HcdC2e3SlzRFPgzBaD9l8kdo6dAPpDsEME9mvs7jc-tQ>
    <xmx:VIVkYWFc-IlaCPBWDJanbmlCjd91t5EKNK7_TSeEUqM2-AR_KjLkBA>
    <xmx:VIVkYZ8XEaonh-zDrz5XRxzxzQm3J4PTcooijNXiZostU5djZypMYw>
    <xmx:VYVkYRyGTA4v1mpdEHuRp43Wq4HM-_rzBnNpxJp5s-Q6ep5xAp9ZmQ>
Received: by mail.messagingengine.com (Postfix) with ESMTPA for
 <hackers@freebsd.org>; Mon, 11 Oct 2021 14:41:24 -0400 (EDT)
Message-ID: <774b0a05-c67e-89b9-885d-1a6e1212ee9c@aetern.org>
Date: Mon, 11 Oct 2021 21:41:23 +0300
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@freebsd.org
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.2.0
Subject: Re: Possible to start the process with setuid while allowing it to
 listen on privileged ports?
Content-Language: en-US
To: hackers@freebsd.org
References: <6e98975c-34e5-246f-5b86-700b5f847815@rawbw.com>
 <dbfaf2da-4be0-2c64-47e-30c2e2bc33f1@maxim.int.ru>
From: Yuri <yuri@aetern.org>
In-Reply-To: <dbfaf2da-4be0-2c64-47e-30c2e2bc33f1@maxim.int.ru>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4HSngv24f7z3RBq
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=aetern.org header.s=fm1 header.b=duz7op3b;
	dkim=pass header.d=messagingengine.com header.s=fm1 header.b=nJnp24uI;
	dmarc=none;
	spf=pass (mx1.freebsd.org: domain of yuri@aetern.org designates 66.111.4.25 as permitted sender) smtp.mailfrom=yuri@aetern.org
X-Spamd-Result: default: False [-3.52 / 15.00];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 RWL_MAILSPIKE_GOOD(0.00)[66.111.4.25:from];
	 R_SPF_ALLOW(-0.20)[+ip4:66.111.4.25];
	 TO_DN_NONE(0.00)[];
	 RCVD_COUNT_THREE(0.00)[4];
	 DKIM_TRACE(0.00)[aetern.org:+,messagingengine.com:+];
	 NEURAL_HAM_SHORT(-0.92)[-0.923];
	 FROM_EQ_ENVFROM(0.00)[];
	 MIME_TRACE(0.00)[0:+];
	 SUBJECT_ENDS_QUESTION(1.00)[];
	 ASN(0.00)[asn:11403, ipnet:66.111.0.0/20, country:US];
	 RCVD_TLS_LAST(0.00)[];
	 MID_RHS_MATCH_FROM(0.00)[];
	 RCVD_IN_DNSWL_LOW(-0.10)[66.111.4.25:from];
	 ARC_NA(0.00)[];
	 NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	 R_DKIM_ALLOW(-0.20)[aetern.org:s=fm1,messagingengine.com:s=fm1];
	 FREEFALL_USER(0.00)[yuri];
	 FROM_HAS_DN(0.00)[];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 NEURAL_HAM_LONG(-1.00)[-1.000];
	 MIME_GOOD(-0.10)[text/plain];
	 PREVIOUSLY_DELIVERED(0.00)[hackers@freebsd.org];
	 DMARC_NA(0.00)[aetern.org];
	 RCPT_COUNT_ONE(0.00)[1];
	 DWL_DNSWL_LOW(-1.00)[messagingengine.com:dkim]
X-ThisMailContainsUnwantedMimeParts: N

Maxim Konovalov wrote:
> On Mon, 11 Oct 2021, 08:50-0700, Yuri wrote:
> 
>> Normal way to do this is for the application to first listen on the port and
>> then setuid.
>>
>> My question is about the situation when the application isn't willing to do
>> this.
>>
>> The project author says that setuid is too difficult in Go and Linux allows to
>> do this through systemd:
>>
>> https://github.com/coredns/coredns/issues/4917#issuecomment-939892548
>>
>> Can in FreeBSD the process be run as a regular user but still be allowed to
>> bind to privileged ports?
>>
> This could be possible to implement with mac_portacl(4).

mac_portacl(4) seems to be limited by the sysctls I mentioned in another
reply:
---
     port          Describes which port this entry applies to.  NOTE:
                   MAC security policies may not override other
                   security system policies by allowing accesses that
                   they may deny, such as
                   net.inet.ip.portrange.reservedlow /
                   net.inet.ip.portrange.reservedhigh.
---

In addition to linux/systemd, solaris also allows this through its
privilege framework (PRIV_NET_PRIVADDR).  Wonder if we have something
similar?