From owner-freebsd-stable@freebsd.org Mon Aug 20 18:37:34 2018 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C11441078869 for ; Mon, 20 Aug 2018 18:37:34 +0000 (UTC) (envelope-from spork@bway.net) Received: from smtp1.bway.net (smtp1.v6.bway.net [IPv6:2607:d300:1::27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 774717B76A; Mon, 20 Aug 2018 18:37:34 +0000 (UTC) (envelope-from spork@bway.net) Received: from frankentosh.sporklab.com (pool-71-187-162-242.nwrknj.fios.verizon.net [71.187.162.242]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: spork@bway.net) by smtp1.bway.net (Postfix) with ESMTPSA id BF5E99584F; Mon, 20 Aug 2018 14:37:25 -0400 (EDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: Bind to port <1024 in jail From: Charles Sprickman In-Reply-To: <1534777490.27158.47.camel@freebsd.org> Date: Mon, 20 Aug 2018 14:37:25 -0400 Cc: Stefan Bethke , FreeBSD Stable Content-Transfer-Encoding: quoted-printable Message-Id: <36614699-F6E0-495D-8EC0-FCF4B1B12BA3@bway.net> References: <75536186-7D58-498C-BFC6-9284EB7CB444@lassitu.de> <1534777490.27158.47.camel@freebsd.org> To: Ian Lepore X-Mailer: Apple Mail (2.3273) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Aug 2018 18:37:34 -0000 > On Aug 20, 2018, at 11:04 AM, Ian Lepore wrote: >=20 > On Mon, 2018-08-20 at 16:47 +0200, Stefan Bethke wrote: >> I have a Go program (acme-dns) that wants to bind 53, 80, and 443, >> and I=C2=B4d rather have it run as a non-privileged user. The = program >> doesn=C2=B4t provide a facility to drop privs after binding the = ports. I=C2=B4m >> planning to run it in a jail. >>=20 >> After some googling, it appears that a couple of years ago I should >> have been able to do: >> sysctl net.inet.ip.portrange.reservedhigh=3D0 >> and allow all processes to bind to =E2=80=9Elow=E2=80=9C ports. This = does not work in >> my jails on a 11-stable host. >>=20 >> $ sudo sysctl net.inet.ip.portrange.reservedhigh=3D0 >> net.inet.ip.portrange.reservedhigh: 1023 >> sysctl: net.inet.ip.portrange.reservedhigh=3D0: Operation not = permitted >>=20 >> Securelevel should not interfere: >> $ sysctl kern.securelevel >> kern.securelevel: -1 >>=20 >> Is there a way to allow regular processes to bind to low ports? >>=20 >>=20 >> Stefan >>=20 >=20 > You might be able to set up a specific local userid for this process, > then use mac_portacl(4) to allow it to bind to those ports. I'm not > certain that works inside a jail, however. I am so behind on all the new toys in the system. I was very = embarrassed to find out about this feature from someone who=E2=80=99s primarily = working with Linux in his day job. He was just looking to bind an Elixir app to = 80/443 without running as root and he shared this: security.mac.portacl.rules=3Dgid:2001:tcp:80,gid:2001:tcp:443 We stuck that in sysctl.conf and that was that. I wish FreeBSD still had the evangelism folks that would go out and tell the userbase and anyone else that would listen about all the cool new stuff. :) Charles >=20 > -- Ian > _______________________________________________ > freebsd-stable@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to = "freebsd-stable-unsubscribe@freebsd.org"