Re: Possible to start the process with setuid while allowing it to listen on privileged ports?

From: Yuri <yuri_at_aetern.org>
Date: Mon, 11 Oct 2021 18:41:23 UTC
Maxim Konovalov wrote:
> On Mon, 11 Oct 2021, 08:50-0700, Yuri wrote:
> 
>> Normal way to do this is for the application to first listen on the port and
>> then setuid.
>>
>> My question is about the situation when the application isn't willing to do
>> this.
>>
>> The project author says that setuid is too difficult in Go and Linux allows to
>> do this through systemd:
>>
>> https://github.com/coredns/coredns/issues/4917#issuecomment-939892548
>>
>> Can in FreeBSD the process be run as a regular user but still be allowed to
>> bind to privileged ports?
>>
> This could be possible to implement with mac_portacl(4).

mac_portacl(4) seems to be limited by the sysctls I mentioned in another
reply:
---
     port          Describes which port this entry applies to.  NOTE:
                   MAC security policies may not override other
                   security system policies by allowing accesses that
                   they may deny, such as
                   net.inet.ip.portrange.reservedlow /
                   net.inet.ip.portrange.reservedhigh.
---

In addition to linux/systemd, solaris also allows this through its
privilege framework (PRIV_NET_PRIVADDR).  Wonder if we have something
similar?