From eugen@grosbein.net Tue Oct 12 02:24:26 2021 X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 1C648180B39B for ; Tue, 12 Oct 2021 02:24:43 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [IPv6:2a01:4f8:c2c:26d8::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HSzyL5sMkz3vwV; Tue, 12 Oct 2021 02:24:42 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221] (may be forged)) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id 19C2OY5F051805 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 12 Oct 2021 02:24:34 GMT (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: yuri@FreeBSD.org Received: from [10.58.0.10] (dadvw [10.58.0.10]) by eg.sd.rdtc.ru (8.16.1/8.16.1) with ESMTPS id 19C2OXsD071878 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Tue, 12 Oct 2021 09:24:33 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: Possible to start the process with setuid while allowing it to listen on privileged ports? To: Yuri , Freebsd hackers list References: <6e98975c-34e5-246f-5b86-700b5f847815@rawbw.com> From: Eugene Grosbein Message-ID: Date: Tue, 12 Oct 2021 09:24:26 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 List-Id: Technical discussions relating to FreeBSD List-Archive: https://lists.freebsd.org/archives/freebsd-hackers List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-hackers@freebsd.org MIME-Version: 1.0 In-Reply-To: <6e98975c-34e5-246f-5b86-700b5f847815@rawbw.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,SHORTCIRCUIT autolearn=disabled version=3.4.2 X-Spam-Report: * -0.0 SHORTCIRCUIT No description available. * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on hz.grosbein.net X-Rspamd-Queue-Id: 4HSzyL5sMkz3vwV X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-Spam: Yes X-ThisMailContainsUnwantedMimeParts: N 11.10.2021 22:50, Yuri wrote: > Normal way to do this is for the application to first listen on the port and then setuid. > > > My question is about the situation when the application isn't willing to do this. > > > The project author says that setuid is too difficult in Go and Linux allows to do this through systemd: > > https://github.com/coredns/coredns/issues/4917#issuecomment-939892548 > > > Can in FreeBSD the process be run as a regular user but still be allowed to bind to privileged ports? Yes, of course. We have mac_portacl(4) since FreeBSD 8 just for that task. There is sysctl net.inet.ip.portrange.reservedhigh=1023 by default that defines "privileged low port" protection for super-user. Kernel module mac_portacl provides sysctl security.mac.portacl.port_high=1023 by default that duplicates this protection, so you should disable first one after loading mac_portacl with sysctl net.inet.ip.portrange.reservedhigh=0. Unprivileged users still cannot bind to low ports unless specifically granted that right with another sysctl, for example: security.mac.portacl.rules=uid:53:tcp:53,uid:53:udp:53 This is "real life" example for ISC BIND running with UID 53 that allows it to bind tcp/53 and udp/53 for dynamically created interfaces like tun/tap/ng/eiface etc. when BIND runs as non-root.