svn commit: r319611 - in head: sys/kern sys/sys usr.sbin/jail
Allan Jude
allanjude at FreeBSD.org
Wed Jun 7 11:05:28 UTC 2017
On June 6, 2017 5:44:25 AM EDT, Fabian Keil <freebsd-listen at fabiankeil.de> wrote:
>Allan Jude <allanjude at FreeBSD.org> wrote:
>
>> Author: allanjude
>> Date: Tue Jun 6 02:15:00 2017
>> New Revision: 319611
>> URL: https://svnweb.freebsd.org/changeset/base/319611
>>
>> Log:
>> Jails: Optionally prevent jailed root from binding to privileged
>ports
>>
>> You may now optionally specify allow.noreserved_ports to prevent
>root
>> inside a jail from using privileged ports (less than 1024)
>>
>> PR: 217728
>> Submitted by: Matt Miller <mattm916 at pulsar.neomailbox.ch>
>> Reviewed by: jamie, cem, smh
>> Relnotes: yes
>> Differential Revision: https://reviews.freebsd.org/D10202
>>
>> Modified:
>> head/sys/kern/kern_jail.c
>> head/sys/sys/jail.h
>> head/usr.sbin/jail/jail.8
>[...]
>> @@ -611,6 +613,8 @@ with non-jailed parts of the system.
>> Sockets within a jail are normally restricted to IPv4, IPv6, local
>> (UNIX), and route. This allows access to other protocol stacks that
>> have not had jail functionality added to them.
>> +.It Va allow.reserved_ports
>> +The jail root may bind to ports lower than 1024.
>
>This description seems to imply that net.inet.ip.portrange.reservedhigh
>isn't honoured while it actually is.
>
>Fabian
I think the confusion here is: this option prevents root in the jail from using reserved ports. Nonroot users are always restricted
--
Allan Jude
More information about the svn-src-all
mailing list