Date: Mon, 20 Aug 2018 09:09:58 -0600 From: Ian Lepore <ian@freebsd.org> To: Stefan Bethke <stb@lassitu.de>, Eugene Grosbein <eugen@grosbein.net> Cc: FreeBSD Stable <freebsd-stable@freebsd.org> Subject: Re: Bind to port <1024 in jail Message-ID: <1534777798.27158.50.camel@freebsd.org> In-Reply-To: <89646FDB-F1A9-4070-87EC-22C0CFAFF4E7@lassitu.de> References: <75536186-7D58-498C-BFC6-9284EB7CB444@lassitu.de> <6bfc8608-946d-39eb-cc57-88b3dc3bd7c5@grosbein.net> <89646FDB-F1A9-4070-87EC-22C0CFAFF4E7@lassitu.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 2018-08-20 at 17:02 +0200, Stefan Bethke wrote: > Am 20.08.2018 um 16:59 schrieb Eugene Grosbein <eugen@grosbein.net>: > > > > > > 20.08.2018 21:47, Stefan Bethke wrote: > > > > > > > > I have a Go program (acme-dns) that wants to bind 53, 80, and > > > 443, and Iÿd rather have it run as a non-privileged user. The > > > program doesnÿt provide a facility to drop privs after binding > > > the ports. Iÿm planning to run it in a jail. > > > > > > After some googling, it appears that a couple of years ago I > > > should have been able to do: > > > sysctl net.inet.ip.portrange.reservedhigh=0 > > > and allow all processes to bind to ¥low´ ports. This does not > > > work in my jails on a 11-stable host. > > > > > > $ sudo sysctl net.inet.ip.portrange.reservedhigh=0 > > > net.inet.ip.portrange.reservedhigh: 1023 > > > sysctl: net.inet.ip.portrange.reservedhigh=0: Operation not > > > permitted > > > > > > Securelevel should not interfere: > > > $ sysctl kern.securelevel > > > kern.securelevel: -1 > > > > > > Is there a way to allow regular processes to bind to low ports? > > Yes. Just use mac_portacl kernel module: kldload mac_portacl > > > > Once loaded, it duplicates net.inet.ip.portrange.reservedhigh > > protection > > with its own security.mac.portacl.port_high, so it's safe to > > disable > > "reservedhigh" for whole system by running sysctl > > net.inet.ip.portrange.reservedhigh=0 > > for host. > > > > The trick is that mac_portacl provides a way to selectively give > > permission for non-root UID > > to bind low ports: > > > > security.mac.portacl.rules=uid:88:tcp:80,uid:88:tcp:443,uid:53:tcp: > > 53,uid:53:udp:53 > > > > It works just fine for a host and I use it for name servers > > utilizing port 53 > > for a box with dynamically created interfaces, so it may bind the > > port for distinct IP addresses > > after it dropped privilegies when new interface is created and get > > new IP assigned. > > > > I have not tried it for a jails, though. Please try and respond. > Thanks, but do I understand correctly that the > security.mac.portacl.rules are system-wide and not per-jail? > > Iÿm running ~10 jails on this host, and I donÿt want to allow all of > them to bind to low ports. > Portacls are configure by userid. Just create a local userid that is dedicated to this one process that runs in the one jail, and only it (and root of course) would be able to bind to those ports. -- Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1534777798.27158.50.camel>