setsockopt Operation not permitted as non-root user
Matt Smith
fbsd at xtaz.co.uk
Tue Oct 13 18:46:13 UTC 2015
I'm running net/sslh in transparent mode using IPFW to forward packets
to/from it. This works fine with no issues but I have to run it as root.
I was wondering if there is any way to use this running as a non-root
user. When I try this I get the following error:
sslh-select[35325]: setsockopt IP_BINDANY:1:Operation not permitted
I was thinking I could maybe use mac_portacl(4) to allow this but it
doesn't seem to work. I tried setting security.mac.portacl.rules to
uid:65534:tcp:423,uid:65534:tcp:444 and set
net.inet.ip.portrange.reservedhigh to 0. I still get the same error. The
reason I'm using those ports is because of the IPFW rules:
ipfw add 00020 fwd 10.0.0.10,4444 tcp from 192.168.1.0/24 to 10.0.0.10
443 in via re0
ipfw add 00021 fwd 10.0.0.10,4444 tcp from 10.0.0.10 423,444 to
192.168.1.0/24 out via re0
192.168.1.0/24 isn't the actual network I'm using, but you get the jist.
And I have openssh and a webserver listening on 423 and 444, with sslh
on port 4444.
Alternatively Linux appears to have something called capabilities and
specifically CAP_NET_ADMIN where it appears you can give the process
enough extra privedges to do this itself. I assume the equivalent on
FreeBSD is mac_portacl though?
--
Matt
More information about the freebsd-questions
mailing list