On Mon, 2018-08-20 at 16:47 +0200, Stefan Bethke wrote: > I have a Go program (acme-dns) that wants to bind 53, 80, and 443, > and I’d rather have it run as a non-privileged user. The program > doesn’t provide a facility to drop privs after binding the ports. I’m > planning to run it in a jail. > > After some googling, it appears that a couple of years ago I should > have been able to do: > sysctl net.inet.ip.portrange.reservedhigh=0 > and allow all processes to bind to „low“ ports. This does not work in > my jails on a 11-stable host. > > $ sudo sysctl net.inet.ip.portrange.reservedhigh=0 > net.inet.ip.portrange.reservedhigh: 1023 > sysctl: net.inet.ip.portrange.reservedhigh=0: Operation not permitted > > Securelevel should not interfere: > $ sysctl kern.securelevel > kern.securelevel: -1 > > Is there a way to allow regular processes to bind to low ports? > > > Stefan >
You might be able to set up a specific local userid for this process, then use mac_portacl(4) to allow it to bind to those ports. I'm not certain that works inside a jail, however. -- Ian _______________________________________________ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
