Re: Possible to start the process with setuid while allowing it to listen on privileged ports?

From: Chris Stephan <chris.stephan_at_live.com>
Date: Tue, 12 Oct 2021 02:07:10 UTC
Here is how we solve this problem.

First, it’s always wise to run a firewall on the system, PF, IPF, or IPFW, etc… at the very least since we are removing the presumed security mechanism provided by root bind limit on lower ports. The firewall will provide a good audit trail, and provide a check and balance against the permissions provided by mac_portacl framework

Assuming the above, the following works flawlessly.

loader.conf(5)<https://www.freebsd.org/cgi/man.cgi?query=loader.conf&sektion=5&apropos=0&manpath=FreeBSD+13.0-RELEASE+and+Ports>:

mac_portacl_load="YES"

net.inet.ip.portrange.reservedlow=0

security.mac.portacl.port_high=1023

security.mac.portacl.enabled=1

Now, you specify the security.mac.portacl.rules Required to support the use case. The trick in the above is by setting the reservedlow port to 0 and port high to 1023, we are telling the mac_portacl framework it is in complete control of non root binding for ports 0-1023 as opposed to relying on the implicit limits provided by the “must be root to bind“ methodology inherent in traditional UNIX’s.

Thanks,

Chris

Sent from FreeBSD

On Oct 11, 2021, at 1:42 PM, Yuri <yuri@aetern.org> wrote:

Maxim Konovalov wrote:
On Mon, 11 Oct 2021, 08:50-0700, Yuri wrote:

Normal way to do this is for the application to first listen on the port and
then setuid.

My question is about the situation when the application isn't willing to do
this.

The project author says that setuid is too difficult in Go and Linux allows to
do this through systemd:

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcoredns%2Fcoredns%2Fissues%2F4917%23issuecomment-939892548&amp;data=04%7C01%7C%7C318eb11be355473a72c608d98ce6ec54%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637695745719714673%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=PoKlqpeRKy4ntyRmDkox3Qt5aO9qHnZosnDXk0bNPw8%3D&amp;reserved=0

Can in FreeBSD the process be run as a regular user but still be allowed to
bind to privileged ports?

This could be possible to implement with mac_portacl(4).

mac_portacl(4) seems to be limited by the sysctls I mentioned in another
reply:
---
    port          Describes which port this entry applies to.  NOTE:
                  MAC security policies may not override other
                  security system policies by allowing accesses that
                  they may deny, such as
                  net.inet.ip.portrange.reservedlow /
                  net.inet.ip.portrange.reservedhigh.
---

In addition to linux/systemd, solaris also allows this through its
privilege framework (PRIV_NET_PRIVADDR).  Wonder if we have something
similar?