> Am 20.08.2018 um 16:59 schrieb Bjoern A. Zeeb <bzeeb-lists at
lists.zabbadoz.net>:
>
> On 20 Aug 2018, at 14:47, Stefan Bethke wrote:
>
>> I have a Go program (acme-dns) that wants to bind 53, 80, and 443, and
I?d rather have it run as a non-privileged user. The program doesn?t provide a
facility to drop privs after binding the ports. I?m planning to run it in a
jail.
>>
>> After some googling, it appears that a couple of years ago I should
have been able to do:
>> sysctl net.inet.ip.portrange.reservedhigh=0
>> and allow all processes to bind to ?low? ports. This does not work in
my jails on a 11-stable host.
>>
>> $ sudo sysctl net.inet.ip.portrange.reservedhigh=0
>> net.inet.ip.portrange.reservedhigh: 1023
>> sysctl: net.inet.ip.portrange.reservedhigh=0: Operation not permitted
>>
>> Securelevel should not interfere:
>> $ sysctl kern.securelevel
>> kern.securelevel: -1
>>
>> Is there a way to allow regular processes to bind to low ports?
>
> you have to set it on the base system; alternatively with vnet you might
be able to change it per-jail.
Do you feel it?s OK to enable VIMAGE in -stable? When I tried last in 2016, I
had stability issues, I think related to pf.
Stefan
--
Stefan Bethke <stb at lassitu.de> Fon +49 151 14070811