[Bug 273208] An rc script for mac_portacl(4)
Date: Fri, 18 Aug 2023 16:13:07 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=273208 Bug ID: 273208 Summary: An rc script for mac_portacl(4) Product: Base System Version: Unspecified Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: conf Assignee: bugs@FreeBSD.org Reporter: tom@hur.st Created attachment 244195 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=244195&action=edit Dreaming of being /etc/rc.d/portacl mac_portacl(4) is a kernel module providing access control policy for network service port binding, allowing for specified users and groups to bind to otherwise root-privileged ports. Currently to make use of this, the module must be loaded, the rules set in a sysctl in a single line with only numeric ID's allowed, and the stock reserved ports sysctl needs to be set to disable enforcement. For example, allowing user www, uid 80 to bind to ports http and https: net.inet.ip.portrange.reservedhigh=0 security.mac.portacl.rules="uid:80:tcp:80,uid:80:tcp:443" Attached is the first-cut of an rc script which allows for configuration using only rc.conf variables, including mapping user and service names to their numeric equivalents. For example the above configuration would be achieved with: portacl_enable="YES" portacl_users="www" portacl_user_www_tcp="http https" This uses dynamic variables of the form portacl_{user,group}_${name}_{tcp,udp} to configure each portion of the ruleset. Existing raw rules can be combined: portacl_additional_rules="uid:143:tcp:993" Existing rules and other relevant oids set in /etc/sysctl.conf{,.local} are overridden, but a warning is issued if any are found. Development is currently taking place here: https://github.com/Freaky/portacl -- You are receiving this mail because: You are the assignee for the bug.