Date: Mon, 23 Sep 2002 20:44:47 +0200 From: =?iso-8859-2?Q?Micha=B3?= Belczyk <diavul@bsd.krakow.pl> To: freebsd-hackers@freebsd.org Subject: Re: Just a wild idea Message-ID: <20020923184447.GA14482@bsd.krakow.pl> In-Reply-To: <20020922161453.A13323@psconsult.nl> References: <20020922161453.A13323@psconsult.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
--SUOF0GtieIMvvwua Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 22, 2002 at 04:14:53PM +0200, Paul Schenkeveld wrote: > I've been playing with jails for over 2 years now. I really like > them but we often use them to run a process as root with reduced > power only to get access to TCP and UDP ports below 1024. >=20 > For many applications however, for example lpd, named, sendmail, > tac_plus and others, it would be more than good enough to run that > program as a normal, non-root user provided there is a way to bind > to that single low TCP and/or UDP port that the program needs access > to. >=20 Exactly. It would be great to have the capabilities implemented in -stable ;) I've written a kernel module for -stable You may be interested in. With it You can for example let specified euids bind to the reserved TCP/UDP ports. It's fully managed via sysctl. It also doesn't affect jails. It's still under development but I use it e.g. to let my non-root chrootuided syslogd bind to its port :) All the effort is in fact sysctl fgc.net_bind.udp.acl=3D[60514:514] where 60514 is syslogd user's uid. The crazy syslogd story is here: http://bsd.krakow.pl/syslogd.html and the fgc sources.. cvs -d:pserver:cvs@bsd.krakow.pl:/cvs/fgc co fgc You may also consider using the TrustedBSD-cap stuff and give the syslogd binary CAP_NET_BIND_SERVICE capability.. but that's still -current. Another possibility of giving a regular user some of the superuser powers is CerbNG (http://cerber.sourceforge.net), but I'm not sure if Pawel has already implemented the bind() stuff.. It's definetely more advanced and more complete security solution for -stable than my per euid/per group capabilities and it's also still under development. With that You can create per binary security policies including restricting access to selected syscalls and granting additional access to other, superuser-reserved syscalls. =2E. and probably many other things that I'm not aware of :)) --=20 Micha=B3 Belczyk --SUOF0GtieIMvvwua Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9j2Effe5awv+mgJoRAt4yAJ94eUSWFqaAu9R3+32ETl2Gerd0IACeMF/5 cHsffCOGYU0v7rd01QDpZjc= =IECp -----END PGP SIGNATURE----- --SUOF0GtieIMvvwua-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020923184447.GA14482>