Re: Possible to start the process with setuid while allowing it to listen on privileged ports?
Date: Tue, 12 Oct 2021 02:07:10 UTC
Here is how we solve this problem. First, it’s always wise to run a firewall on the system, PF, IPF, or IPFW, etc… at the very least since we are removing the presumed security mechanism provided by root bind limit on lower ports. The firewall will provide a good audit trail, and provide a check and balance against the permissions provided by mac_portacl framework Assuming the above, the following works flawlessly. loader.conf(5)<https://www.freebsd.org/cgi/man.cgi?query=loader.conf&sektion=5&apropos=0&manpath=FreeBSD+13.0-RELEASE+and+Ports>: mac_portacl_load="YES" net.inet.ip.portrange.reservedlow=0 security.mac.portacl.port_high=1023 security.mac.portacl.enabled=1 Now, you specify the security.mac.portacl.rules Required to support the use case. The trick in the above is by setting the reservedlow port to 0 and port high to 1023, we are telling the mac_portacl framework it is in complete control of non root binding for ports 0-1023 as opposed to relying on the implicit limits provided by the “must be root to bind“ methodology inherent in traditional UNIX’s. Thanks, Chris Sent from FreeBSD On Oct 11, 2021, at 1:42 PM, Yuri <yuri@aetern.org> wrote: Maxim Konovalov wrote: On Mon, 11 Oct 2021, 08:50-0700, Yuri wrote: Normal way to do this is for the application to first listen on the port and then setuid. My question is about the situation when the application isn't willing to do this. The project author says that setuid is too difficult in Go and Linux allows to do this through systemd: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcoredns%2Fcoredns%2Fissues%2F4917%23issuecomment-939892548&data=04%7C01%7C%7C318eb11be355473a72c608d98ce6ec54%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637695745719714673%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=PoKlqpeRKy4ntyRmDkox3Qt5aO9qHnZosnDXk0bNPw8%3D&reserved=0 Can in FreeBSD the process be run as a regular user but still be allowed to bind to privileged ports? This could be possible to implement with mac_portacl(4). mac_portacl(4) seems to be limited by the sysctls I mentioned in another reply: --- port Describes which port this entry applies to. NOTE: MAC security policies may not override other security system policies by allowing accesses that they may deny, such as net.inet.ip.portrange.reservedlow / net.inet.ip.portrange.reservedhigh. --- In addition to linux/systemd, solaris also allows this through its privilege framework (PRIV_NET_PRIVADDR). Wonder if we have something similar?