Re: Possible to start the process with setuid while allowing it to listen on privileged ports?

From: Yuri <yuri_at_aetern.org>
Date: Mon, 11 Oct 2021 16:21:46 UTC
Yuri wrote:
> Normal way to do this is for the application to first listen on the port
> and then setuid.
> 
> 
> My question is about the situation when the application isn't willing to
> do this.
> 
> 
> The project author says that setuid is too difficult in Go and Linux
> allows to do this through systemd:
> 
> https://github.com/coredns/coredns/issues/4917#issuecomment-939892548
> 
> 
> Can in FreeBSD the process be run as a regular user but still be allowed
> to bind to privileged ports?

Quoting ip(4):
---
The range of privileged ports which only may be opened by root-owned
processes may be modified by the net.inet.ip.portrange.reservedlow and
net.inet.ip.portrange.reservedhigh sysctl settings.  The values default
to the traditional range, 0 through IPPORT_RESERVED-1 (0 through 1023),
respectively.  Note that these settings do not affect and are not
accounted for in the use or calculation of the other
net.inet.ip.portrange values above.  Changing these values departs from
UNIX tradition and has security consequences that the administrator
should carefully evaluate before modifying these settings.
---