Date: Mon, 20 Aug 2018 14:37:25 -0400 From: Charles Sprickman <spork@bway.net> To: Ian Lepore <ian@FreeBSD.org> Cc: Stefan Bethke <stb@lassitu.de>, FreeBSD Stable <freebsd-stable@freebsd.org> Subject: Re: Bind to port <1024 in jail Message-ID: <36614699-F6E0-495D-8EC0-FCF4B1B12BA3@bway.net> In-Reply-To: <1534777490.27158.47.camel@freebsd.org> References: <75536186-7D58-498C-BFC6-9284EB7CB444@lassitu.de> <1534777490.27158.47.camel@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Aug 20, 2018, at 11:04 AM, Ian Lepore <ian@FreeBSD.org> wrote: >=20 > On Mon, 2018-08-20 at 16:47 +0200, Stefan Bethke wrote: >> I have a Go program (acme-dns) that wants to bind 53, 80, and 443, >> and I=C2=B4d rather have it run as a non-privileged user. The = program >> doesn=C2=B4t provide a facility to drop privs after binding the = ports. I=C2=B4m >> planning to run it in a jail. >>=20 >> After some googling, it appears that a couple of years ago I should >> have been able to do: >> sysctl net.inet.ip.portrange.reservedhigh=3D0 >> and allow all processes to bind to =E2=80=9Elow=E2=80=9C ports. This = does not work in >> my jails on a 11-stable host. >>=20 >> $ sudo sysctl net.inet.ip.portrange.reservedhigh=3D0 >> net.inet.ip.portrange.reservedhigh: 1023 >> sysctl: net.inet.ip.portrange.reservedhigh=3D0: Operation not = permitted >>=20 >> Securelevel should not interfere: >> $ sysctl kern.securelevel >> kern.securelevel: -1 >>=20 >> Is there a way to allow regular processes to bind to low ports? >>=20 >>=20 >> Stefan >>=20 >=20 > You might be able to set up a specific local userid for this process, > then use mac_portacl(4) to allow it to bind to those ports. I'm not > certain that works inside a jail, however. I am so behind on all the new toys in the system. I was very = embarrassed to find out about this feature from someone who=E2=80=99s primarily = working with Linux in his day job. He was just looking to bind an Elixir app to = 80/443 without running as root and he shared this: security.mac.portacl.rules=3Dgid:2001:tcp:80,gid:2001:tcp:443 We stuck that in sysctl.conf and that was that. I wish FreeBSD still had the evangelism folks that would go out and tell the userbase and anyone else that would listen about all the cool new stuff. :) Charles >=20 > -- Ian > _______________________________________________ > freebsd-stable@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to = "freebsd-stable-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?36614699-F6E0-495D-8EC0-FCF4B1B12BA3>