Date: Tue, 12 Oct 2021 09:24:26 +0700 From: Eugene Grosbein <eugen@grosbein.net> To: Yuri <yuri@FreeBSD.org>, Freebsd hackers list <freebsd-hackers@FreeBSD.org> Subject: Re: Possible to start the process with setuid while allowing it to listen on privileged ports? Message-ID: <b3bb35f5-e285-90f1-fa31-6b9257240526@grosbein.net> In-Reply-To: <6e98975c-34e5-246f-5b86-700b5f847815@rawbw.com> References: <6e98975c-34e5-246f-5b86-700b5f847815@rawbw.com>
next in thread | previous in thread | raw e-mail | index | archive | help
11.10.2021 22:50, Yuri wrote: > Normal way to do this is for the application to first listen on the port and then setuid. > > > My question is about the situation when the application isn't willing to do this. > > > The project author says that setuid is too difficult in Go and Linux allows to do this through systemd: > > https://github.com/coredns/coredns/issues/4917#issuecomment-939892548 > > > Can in FreeBSD the process be run as a regular user but still be allowed to bind to privileged ports? Yes, of course. We have mac_portacl(4) since FreeBSD 8 just for that task. There is sysctl net.inet.ip.portrange.reservedhigh=1023 by default that defines "privileged low port" protection for super-user. Kernel module mac_portacl provides sysctl security.mac.portacl.port_high=1023 by default that duplicates this protection, so you should disable first one after loading mac_portacl with sysctl net.inet.ip.portrange.reservedhigh=0. Unprivileged users still cannot bind to low ports unless specifically granted that right with another sysctl, for example: security.mac.portacl.rules=uid:53:tcp:53,uid:53:udp:53 This is "real life" example for ISC BIND running with UID 53 that allows it to bind tcp/53 and udp/53 for dynamically created interfaces like tun/tap/ng/eiface etc. when BIND runs as non-root.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b3bb35f5-e285-90f1-fa31-6b9257240526>