From owner-svn-src-all@freebsd.org Wed Jun 7 11:25:58 2017 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 26C74C09E8C for ; Wed, 7 Jun 2017 11:25:58 +0000 (UTC) (envelope-from freebsd-listen@fabiankeil.de) Received: from smtprelay04.ispgateway.de (smtprelay04.ispgateway.de [80.67.29.8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D7FB770304; Wed, 7 Jun 2017 11:25:56 +0000 (UTC) (envelope-from freebsd-listen@fabiankeil.de) Received: from [78.35.161.159] (helo=fabiankeil.de) by smtprelay04.ispgateway.de with esmtpsa (TLSv1.2:AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from ) id 1dIZ4L-0007OB-FI; Wed, 07 Jun 2017 13:24:09 +0200 Date: Wed, 7 Jun 2017 13:24:10 +0200 From: Fabian Keil To: Allan Jude Cc: svn-src-all@freebsd.org Subject: Re: svn commit: r319611 - in head: sys/kern sys/sys usr.sbin/jail Message-ID: <20170607132410.39f52836@fabiankeil.de> In-Reply-To: <3D906167-AC44-4BA5-B8ED-5E793D492BC0@FreeBSD.org> References: <201706060215.v562F167035683@repo.freebsd.org> <20170606114425.126fd846@fabiankeil.de> <3D906167-AC44-4BA5-B8ED-5E793D492BC0@FreeBSD.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; boundary="Sig_/zGMVhUxchfB7m2Cw7sqAy0e"; protocol="application/pgp-signature" X-Df-Sender: Nzc1MDY3 X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jun 2017 11:25:58 -0000 --Sig_/zGMVhUxchfB7m2Cw7sqAy0e Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Allan Jude wrote: > On June 6, 2017 5:44:25 AM EDT, Fabian Keil wrote: > >Allan Jude wrote: > > =20 > >> Author: allanjude > >> Date: Tue Jun 6 02:15:00 2017 > >> New Revision: 319611 > >> URL: https://svnweb.freebsd.org/changeset/base/319611 > >>=20 > >> Log: > >> Jails: Optionally prevent jailed root from binding to privileged =20 > >ports =20 > >> =20 > >> You may now optionally specify allow.noreserved_ports to prevent =20 > >root =20 > >> inside a jail from using privileged ports (less than 1024) > >> =20 > >> PR: 217728 > >> Submitted by: Matt Miller > >> Reviewed by: jamie, cem, smh > >> Relnotes: yes > >> Differential Revision: https://reviews.freebsd.org/D10202 > >>=20 > >> Modified: > >> head/sys/kern/kern_jail.c > >> head/sys/sys/jail.h > >> head/usr.sbin/jail/jail.8 =20 > >[...] =20 > >> @@ -611,6 +613,8 @@ with non-jailed parts of the system. > >> Sockets within a jail are normally restricted to IPv4, IPv6, local > >> (UNIX), and route. This allows access to other protocol stacks that > >> have not had jail functionality added to them. > >> +.It Va allow.reserved_ports > >> +The jail root may bind to ports lower than 1024. =20 > > > >This description seems to imply that net.inet.ip.portrange.reservedhigh > >isn't honoured while it actually is. =20 > I think the confusion here is: this option prevents root > in the jail from using reserved ports. Nonroot users are > always restricted I understand that. My point is the man page addition suggests that the reserved port range end is hard coded while the actual end can be changed with net.inet.ip.portrange.reservedhigh. Fabian --Sig_/zGMVhUxchfB7m2Cw7sqAy0e Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQTKUNd6H/m3+ByGULIFiohV/3dUnQUCWTfiWgAKCRAFiohV/3dU nZ/VAKCpptWi0vM2g/gKVGUnmZhqqZxGbgCgzPGICvz5hVl4oQTLP+56qaMpSVI= =SeLC -----END PGP SIGNATURE----- --Sig_/zGMVhUxchfB7m2Cw7sqAy0e--