From owner-freebsd-bugs@freebsd.org Sun Mar 12 17:00:01 2017 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 69B58D09A37 for ; Sun, 12 Mar 2017 17:00:01 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4E3D51A2E for ; Sun, 12 Mar 2017 17:00:01 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v2CH01EQ042763 for ; Sun, 12 Mar 2017 17:00:01 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 217728] [patch] restrict access to reserved ports in jails Date: Sun, 12 Mar 2017 17:00:01 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: mattm916@pulsar.neomailbox.ch X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status keywords bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Mar 2017 17:00:01 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D217728 Bug ID: 217728 Summary: [patch] restrict access to reserved ports in jails Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Keywords: patch Severity: Affects Only Me Priority: --- Component: kern Assignee: freebsd-bugs@FreeBSD.org Reporter: mattm916@pulsar.neomailbox.ch Keywords: patch Created attachment 180751 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D180751&action= =3Dedit patch to add the allow.reserved_port option to jail(8) The attached patch adds a new jail(8) configuration option to deny the use = of reserved ports inside jail. This is intended for use in shared-IP jails that set the "ipv4=3Dinherit" option, and would not be useful in VNET-enabled ja= ils. The primary use case is for delegating jail administration to ordinary users who would otherwise not be allowed access to run services reserved ports. Without this patch, ordinary users who have root privileges inside a shared= -IP jail have the ability to run services that potentially conflict with the ho= st, such as SSH or Sendmail. --=20 You are receiving this mail because: You are the assignee for the bug.=