Re: Possible to start the process with setuid while allowing it to listen on privileged ports?
- In reply to: Yuri : "Possible to start the process with setuid while allowing it to listen on privileged ports?"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 12 Oct 2021 02:24:26 UTC
11.10.2021 22:50, Yuri wrote: > Normal way to do this is for the application to first listen on the port and then setuid. > > > My question is about the situation when the application isn't willing to do this. > > > The project author says that setuid is too difficult in Go and Linux allows to do this through systemd: > > https://github.com/coredns/coredns/issues/4917#issuecomment-939892548 > > > Can in FreeBSD the process be run as a regular user but still be allowed to bind to privileged ports? Yes, of course. We have mac_portacl(4) since FreeBSD 8 just for that task. There is sysctl net.inet.ip.portrange.reservedhigh=1023 by default that defines "privileged low port" protection for super-user. Kernel module mac_portacl provides sysctl security.mac.portacl.port_high=1023 by default that duplicates this protection, so you should disable first one after loading mac_portacl with sysctl net.inet.ip.portrange.reservedhigh=0. Unprivileged users still cannot bind to low ports unless specifically granted that right with another sysctl, for example: security.mac.portacl.rules=uid:53:tcp:53,uid:53:udp:53 This is "real life" example for ISC BIND running with UID 53 that allows it to bind tcp/53 and udp/53 for dynamically created interfaces like tun/tap/ng/eiface etc. when BIND runs as non-root.