Re: Possible to start the process with setuid while allowing it to listen on privileged ports?

From: Eugene Grosbein <eugen_at_grosbein.net>
Date: Tue, 12 Oct 2021 02:24:26 UTC
11.10.2021 22:50, Yuri wrote:

> Normal way to do this is for the application to first listen on the port and then setuid.
> 
> 
> My question is about the situation when the application isn't willing to do this.
> 
> 
> The project author says that setuid is too difficult in Go and Linux allows to do this through systemd:
> 
> https://github.com/coredns/coredns/issues/4917#issuecomment-939892548
> 
> 
> Can in FreeBSD the process be run as a regular user but still be allowed to bind to privileged ports?

Yes, of course. We have mac_portacl(4) since FreeBSD 8 just for that task.

There is sysctl net.inet.ip.portrange.reservedhigh=1023 by default that defines "privileged low port"
protection for super-user. Kernel module mac_portacl provides sysctl security.mac.portacl.port_high=1023
by default that duplicates this protection, so you should disable first one after loading mac_portacl
with  sysctl net.inet.ip.portrange.reservedhigh=0. Unprivileged users still cannot bind to low ports
unless specifically granted that right with another sysctl, for example:

security.mac.portacl.rules=uid:53:tcp:53,uid:53:udp:53

This is "real life" example for ISC BIND running with UID 53 that allows it to bind tcp/53 and udp/53
for dynamically created interfaces like tun/tap/ng/eiface etc. when BIND runs as non-root.