Bind to port <1024 in jail
Bjoern A. Zeeb
bzeeb-lists at lists.zabbadoz.net
Mon Aug 20 14:59:24 UTC 2018
On 20 Aug 2018, at 14:47, Stefan Bethke wrote:
> I have a Go program (acme-dns) that wants to bind 53, 80, and 443, and
> I’d rather have it run as a non-privileged user. The program
> doesn’t provide a facility to drop privs after binding the ports.
> I’m planning to run it in a jail.
>
> After some googling, it appears that a couple of years ago I should
> have been able to do:
> sysctl net.inet.ip.portrange.reservedhigh=0
> and allow all processes to bind to „low“ ports. This does not work
> in my jails on a 11-stable host.
>
> $ sudo sysctl net.inet.ip.portrange.reservedhigh=0
> net.inet.ip.portrange.reservedhigh: 1023
> sysctl: net.inet.ip.portrange.reservedhigh=0: Operation not permitted
>
> Securelevel should not interfere:
> $ sysctl kern.securelevel
> kern.securelevel: -1
>
> Is there a way to allow regular processes to bind to low ports?
you have to set it on the base system; alternatively with vnet you
might be able to change it per-jail.
/bz
More information about the freebsd-stable
mailing list