From owner-svn-src-all@freebsd.org Wed Jun 7 11:04:39 2017 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BF9DEC099BD; Wed, 7 Jun 2017 11:04:39 +0000 (UTC) (envelope-from allanjude@FreeBSD.org) Received: from mx1.scaleengine.net (mx1.scaleengine.net [209.51.186.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9A3806F987; Wed, 7 Jun 2017 11:04:39 +0000 (UTC) (envelope-from allanjude@FreeBSD.org) Received: from [10.124.37.52] (unknown [209.171.88.52]) (Authenticated sender: allanjude.freebsd@scaleengine.com) by mx1.scaleengine.net (Postfix) with ESMTPSA id B78A313D29; Wed, 7 Jun 2017 11:04:37 +0000 (UTC) Date: Wed, 07 Jun 2017 07:04:34 -0400 User-Agent: K-9 Mail for Android In-Reply-To: <20170607102033.Horde.fNxJ0jaYva0yGHTMA77wPTz@webmail.leidinger.net> References: <20170607102033.Horde.fNxJ0jaYva0yGHTMA77wPTz@webmail.leidinger.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Re: svn commit: r319611 - in head: sys/kern sys/sys usr.sbin/jail To: Alexander Leidinger CC: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org From: Allan Jude Message-ID: <6949814E-4CA8-42AC-A4D4-8FE3680E3051@FreeBSD.org> X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jun 2017 11:04:39 -0000 On June 7, 2017 4:20:33 AM EDT, Alexander Leidinger wrote: > >Quoting Allan Jude (from Tue, 6 Jun 2017 =20 >02:15:01 +0000 (UTC)): > >> Author: allanjude >> Date: Tue Jun 6 02:15:00 2017 >> New Revision: 319611 >> URL: https://svnweb=2Efreebsd=2Eorg/changeset/base/319611 >> >> Log: >> Jails: Optionally prevent jailed root from binding to privileged >ports >> >> You may now optionally specify allow=2Enoreserved_ports to prevent >root >> inside a jail from using privileged ports (less than 1024) > >What about a different name than "noreserved_ports"? This is very =20 >close to "nonreserverd_ports", and as such it's easy to get wrong the =20 >first time=2E IMO "block_reserved_ports" and "noblock_reserved_ports" =20 >(or another similar explicit wording) is less likely to get =20 >misunderstood (please take potential lack of language learning skills =20 >into account=2E=2E=2E)=2E > >> Modified: head/sys/kern/kern_jail=2Ec >> >=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D >> --- head/sys/kern/kern_jail=2Ec Tue Jun 6 02:03:22 2017 (r319610) >> +++ head/sys/kern/kern_jail=2Ec Tue Jun 6 02:15:00 2017 (r319611) >> @@ -199,6 +199,7 @@ static char *pr_allow_names[] =3D { >> "allow=2Emount=2Efdescfs", >> "allow=2Emount=2Elinprocfs", >> "allow=2Emount=2Elinsysfs", >> + "allow=2Ereserved_ports", >> }; >> const size_t pr_allow_names_size =3D sizeof(pr_allow_names); >> >> @@ -218,10 +219,11 @@ static char *pr_allow_nonames[] =3D { >> "allow=2Emount=2Enofdescfs", >> "allow=2Emount=2Enolinprocfs", >> "allow=2Emount=2Enolinsysfs", >> + "allow=2Enoreserved_ports", > >Bye, >Alexander=2E The option name is reserved_ports which allows root to bind to the ports= =2E As with all jail options, the no prefix disables it=2E This feature is = on by default for backwards compatibility=2E --=20 Allan Jude