From owner-freebsd-security@FreeBSD.ORG Sat Oct 21 00:08:23 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3053716A407 for ; Sat, 21 Oct 2006 00:08:23 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8582D43D5C for ; Sat, 21 Oct 2006 00:08:22 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 1663C46DC2; Fri, 20 Oct 2006 20:08:22 -0400 (EDT) Date: Sat, 21 Oct 2006 01:08:21 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Nikolay Pavlov In-Reply-To: <20061020140456.GA25717@zone3000.net> Message-ID: <20061021010729.A2879@fledge.watson.org> References: <20061020140456.GA25717@zone3000.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: mac_portacl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Oct 2006 00:08:23 -0000 On Fri, 20 Oct 2006, Nikolay Pavlov wrote: > I am trying to implement reverse proxy using squid with mac_portacl, but i > have problem while binding squid to port 80. Am i missed something? Did you set the IP stack's definition of reserved such that there are no reserved ports, per the mac_portacl(4) man page? In order to enable the mac_portacl policy, MAC policy must be enforced on sockets (see mac(4)), and the port(s) protected by mac_portacl must not be included in the range specified by the net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh sysctl(8) MIBs. Basically, you need to set those sysctls to 0. That should probably be explicit in the man page, rather than implicit as it is now. Robert N M Watson Computer Laboratory University of Cambridge > > Here is my mac_portacl variables: > > # sysctl security.mac.portacl. > security.mac.portacl.enabled: 1 > security.mac.portacl.suser_exempt: 1 > security.mac.portacl.autoport_exempt: 1 > security.mac.portacl.port_high: 1023 > security.mac.portacl.rules: uid:100:tcp:80 > > And squid user info: > > # grep squid /etc/passwd > squid:*:100:100:squid caching-proxy pseudo user:/usr/local/squid:/usr/sbin/nologin > > Also here is cache.log: > > 2006/10/20 09:55:59| Starting Squid Cache version 2.5.STABLE14 for > i386-portbld-freebsd6.1... > 2006/10/20 09:55:59| Process ID 6584 > 2006/10/20 09:55:59| With 11072 file descriptors available > 2006/10/20 09:55:59| DNS Socket created at 0.0.0.0, port 59879, FD 5 > 2006/10/20 09:55:59| Adding nameserver 206.53.60.10 from > /etc/resolv.conf > 2006/10/20 09:55:59| User-Agent logging is disabled. > 2006/10/20 09:55:59| Unlinkd pipe opened on FD 10 > 2006/10/20 09:55:59| Swap maxSize 102400000 KB, estimated 7876923 > objects > 2006/10/20 09:55:59| Target number of buckets: 393846 > 2006/10/20 09:55:59| Using 524288 Store buckets > 2006/10/20 09:55:59| Max Mem size: 1048576 KB > 2006/10/20 09:55:59| Max Swap size: 102400000 KB > 2006/10/20 09:55:59| Rebuilding storage in /cache (DIRTY) > 2006/10/20 09:55:59| Using Least Load store dir selection > 2006/10/20 09:55:59| Set Current Directory to /usr/local/squid/cache > 2006/10/20 09:55:59| Loaded Icons. > 2006/10/20 09:55:59| commBind: Cannot bind socket FD 12 to *:80: (13) > Permission denied > FATAL: Cannot open HTTP Port > Squid Cache (Version 2.5.STABLE14): Terminated abnormally. > CPU Usage: 0.035 seconds = 0.000 user + 0.035 sys > Maximum Resident Size: 9528 KB > Page faults with physical i/o: 0 > > > -- > ====================================================================== > - Best regards, Nikolay Pavlov. <<<----------------------------------- > ====================================================================== > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >