Re: Possible to start the process with setuid while allowing it to listen on privileged ports?
- Reply: Chris Stephan : "Re: Possible to start the process with setuid while allowing it to listen on privileged ports?"
- In reply to: Maxim Konovalov : "Re: Possible to start the process with setuid while allowing it to listen on privileged ports?"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 11 Oct 2021 18:41:23 UTC
Maxim Konovalov wrote: > On Mon, 11 Oct 2021, 08:50-0700, Yuri wrote: > >> Normal way to do this is for the application to first listen on the port and >> then setuid. >> >> My question is about the situation when the application isn't willing to do >> this. >> >> The project author says that setuid is too difficult in Go and Linux allows to >> do this through systemd: >> >> https://github.com/coredns/coredns/issues/4917#issuecomment-939892548 >> >> Can in FreeBSD the process be run as a regular user but still be allowed to >> bind to privileged ports? >> > This could be possible to implement with mac_portacl(4). mac_portacl(4) seems to be limited by the sysctls I mentioned in another reply: --- port Describes which port this entry applies to. NOTE: MAC security policies may not override other security system policies by allowing accesses that they may deny, such as net.inet.ip.portrange.reservedlow / net.inet.ip.portrange.reservedhigh. --- In addition to linux/systemd, solaris also allows this through its privilege framework (PRIV_NET_PRIVADDR). Wonder if we have something similar?