> On Aug 20, 2018, at 11:04 AM, Ian Lepore <ian at FreeBSD.org> wrote:
>
> On Mon, 2018-08-20 at 16:47 +0200, Stefan Bethke wrote:
>> I have a Go program (acme-dns) that wants to bind 53, 80, and 443,
>> and I?d rather have it run as a non-privileged user. The program
>> doesn?t provide a facility to drop privs after binding the ports. I?m
>> planning to run it in a jail.
>>
>> After some googling, it appears that a couple of years ago I should
>> have been able to do:
>> sysctl net.inet.ip.portrange.reservedhigh=0
>> and allow all processes to bind to ?low? ports. This does not work in
>> my jails on a 11-stable host.
>>
>> $ sudo sysctl net.inet.ip.portrange.reservedhigh=0
>> net.inet.ip.portrange.reservedhigh: 1023
>> sysctl: net.inet.ip.portrange.reservedhigh=0: Operation not permitted
>>
>> Securelevel should not interfere:
>> $ sysctl kern.securelevel
>> kern.securelevel: -1
>>
>> Is there a way to allow regular processes to bind to low ports?
>>
>>
>> Stefan
>>
>
> You might be able to set up a specific local userid for this process,
> then use mac_portacl(4) to allow it to bind to those ports. I'm not
> certain that works inside a jail, however.
I am so behind on all the new toys in the system. I was very embarrassed
to find out about this feature from someone who?s primarily working
with Linux in his day job. He was just looking to bind an Elixir app to 80/443
without running as root and he shared this:
security.mac.portacl.rules=gid:2001:tcp:80,gid:2001:tcp:443
We stuck that in sysctl.conf and that was that.
I wish FreeBSD still had the evangelism folks that would go out and
tell the userbase and anyone else that would listen about all the cool
new stuff. :)
Charles
>
> -- Ian
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at
freebsd.org"