From owner-freebsd-stable@freebsd.org Mon Aug 20 15:10:09 2018 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 975981071690 for ; Mon, 20 Aug 2018 15:10:09 +0000 (UTC) (envelope-from ian@freebsd.org) Received: from outbound1b.ore.mailhop.org (outbound1b.ore.mailhop.org [54.200.247.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2185371CBF for ; Mon, 20 Aug 2018 15:10:08 +0000 (UTC) (envelope-from ian@freebsd.org) X-MHO-RoutePath: aGlwcGll X-MHO-User: 1a5d7f99-a48b-11e8-93fa-f3ebd9db2b94 X-Report-Abuse-To: https://support.duocircle.com/support/solutions/articles/5000540958-duocircle-standard-smtp-abuse-information X-Originating-IP: 67.177.211.60 X-Mail-Handler: DuoCircle Outbound SMTP Received: from ilsoft.org (unknown [67.177.211.60]) by outbound1.ore.mailhop.org (Halon) with ESMTPSA id 1a5d7f99-a48b-11e8-93fa-f3ebd9db2b94; Mon, 20 Aug 2018 15:10:01 +0000 (UTC) Received: from rev (rev [172.22.42.240]) by ilsoft.org (8.15.2/8.15.2) with ESMTP id w7KF9wTv088159; Mon, 20 Aug 2018 09:09:58 -0600 (MDT) (envelope-from ian@freebsd.org) Message-ID: <1534777798.27158.50.camel@freebsd.org> Subject: Re: Bind to port <1024 in jail From: Ian Lepore To: Stefan Bethke , Eugene Grosbein Cc: FreeBSD Stable Date: Mon, 20 Aug 2018 09:09:58 -0600 In-Reply-To: <89646FDB-F1A9-4070-87EC-22C0CFAFF4E7@lassitu.de> References: <75536186-7D58-498C-BFC6-9284EB7CB444@lassitu.de> <6bfc8608-946d-39eb-cc57-88b3dc3bd7c5@grosbein.net> <89646FDB-F1A9-4070-87EC-22C0CFAFF4E7@lassitu.de> Content-Type: text/plain; charset="iso-8859-13" X-Mailer: Evolution 3.18.5.1 FreeBSD GNOME Team Port Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2018 15:10:09 -0000 On Mon, 2018-08-20 at 17:02 +0200, Stefan Bethke wrote: > Am 20.08.2018 um 16:59 schrieb Eugene Grosbein : > > > > > > 20.08.2018 21:47, Stefan Bethke wrote: > > > > > > > > I have a Go program (acme-dns) that wants to bind 53, 80, and > > > 443, and Iÿd rather have it run as a non-privileged user.  The > > > program doesnÿt provide a facility to drop privs after binding > > > the ports. Iÿm planning to run it in a jail. > > > > > > After some googling, it appears that a couple of years ago I > > > should have been able to do: > > > sysctl net.inet.ip.portrange.reservedhigh=0 > > > and allow all processes to bind to ¥low´ ports. This does not > > > work in my jails on a 11-stable host. > > > > > > $ sudo sysctl net.inet.ip.portrange.reservedhigh=0 > > > net.inet.ip.portrange.reservedhigh: 1023 > > > sysctl: net.inet.ip.portrange.reservedhigh=0: Operation not > > > permitted > > > > > > Securelevel should not interfere: > > > $ sysctl kern.securelevel > > > kern.securelevel: -1 > > > > > > Is there a way to allow regular processes to bind to low ports? > > Yes. Just use mac_portacl kernel module: kldload mac_portacl > > > > Once loaded, it duplicates net.inet.ip.portrange.reservedhigh > > protection > > with its own security.mac.portacl.port_high, so it's safe to > > disable > > "reservedhigh" for whole system by running sysctl > > net.inet.ip.portrange.reservedhigh=0 > > for host. > > > > The trick is that mac_portacl provides a way to selectively give > > permission for non-root UID > > to bind low ports: > > > > security.mac.portacl.rules=uid:88:tcp:80,uid:88:tcp:443,uid:53:tcp: > > 53,uid:53:udp:53 > > > > It works just fine for a host and I use it for name servers > > utilizing port 53 > > for a box with dynamically created interfaces, so it may bind the > > port for distinct IP addresses > > after it dropped privilegies when new interface is created and get > > new IP assigned. > > > > I have not tried it for a jails, though. Please try and respond. > Thanks, but do I understand correctly that the > security.mac.portacl.rules are system-wide and not per-jail? > > Iÿm running ~10 jails on this host, and I donÿt want to allow all of > them to bind to low ports. > Portacls are configure by userid. Just create a local userid that is dedicated to this one process that runs in the one jail, and only it (and root of course) would be able to bind to those ports. -- Ian