Date: Fri, 18 Aug 2023 16:13:07 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 273208] An rc script for mac_portacl(4) Message-ID: <bug-273208-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D273208 Bug ID: 273208 Summary: An rc script for mac_portacl(4) Product: Base System Version: Unspecified Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: conf Assignee: bugs@FreeBSD.org Reporter: tom@hur.st Created attachment 244195 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D244195&action= =3Dedit Dreaming of being /etc/rc.d/portacl mac_portacl(4) is a kernel module providing access control policy for netwo= rk service port binding, allowing for specified users and groups to bind to otherwise root-privileged ports. Currently to make use of this, the module must be loaded, the rules set in a sysctl in a single line with only numeric ID's allowed, and the stock reser= ved ports sysctl needs to be set to disable enforcement. For example, allowing user www, uid 80 to bind to ports http and https: net.inet.ip.portrange.reservedhigh=3D0 security.mac.portacl.rules=3D"uid:80:tcp:80,uid:80:tcp:443" Attached is the first-cut of an rc script which allows for configuration us= ing only rc.conf variables, including mapping user and service names to their numeric equivalents. For example the above configuration would be achieved with: portacl_enable=3D"YES" portacl_users=3D"www" portacl_user_www_tcp=3D"http https" This uses dynamic variables of the form portacl_{user,group}_${name}_{tcp,u= dp} to configure each portion of the ruleset. Existing raw rules can be combined: portacl_additional_rules=3D"uid:143:tcp:993" Existing rules and other relevant oids set in /etc/sysctl.conf{,.local} are overridden, but a warning is issued if any are found. Development is currently taking place here: https://github.com/Freaky/porta= cl --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-273208-227>