On 23/09/2024 13:50, Matthew Seaman wrote:
On 22/09/2024 16:34, Willem Jan Withagen wrote:
On 19/09/2024 20:04, Dan Mack wrote:
On Thu, 19 Sep 2024, Matthew Seaman wrote:
On 19/09/2024 18:16, Dan Mack wrote:
On Tue, 2 Jul 2024, sth...@nethelp.no wrote:
So we set uid 53 (bind) at 0.083518302, and then try to bind
to port
953 at 0.093282161.
Are you going to poe a bug with the bind people?
Already did:
https://gitlab.isc.org/isc-projects/bind9/-/issues/4793
Steinar Haug, AS2116
Probably everyone knows but this still happens in the bind920-9.20.1
package.
However, BIND 9.20.2 was released yesterday with a change to when
bind
drops privilege levels so perhaps we will have a working version
when the
port / package is updated.
The update was already committed:
https://cgit.freebsd.org/ports/commit/?id=06790657ec8a80f894db824e7a9cadd71ec4e292
Cheers,
Matthew
Thank you! Was about to try a build myself but now I don't have to
:-)
Untill that time I choose to set the highest privileged port to 952...
net.inet.ip.portrange.reservedhigh=952
mac_portacl(4) is useful in these situations. It allows you to
specify users that can bind to a specified secure port without needing
root privileges.
I know, but this was the easiest "fix" for this, I could think off...
Especially whilest we are waiting for an updated version in ports/pkgs.
That does things like they used to.
And with mac_portacl(4) you need to consider IF you have any other ports
< 1024 in use.
Since they will possibly now be covered by MAC protection. (like snmp or
others)
Lots of ways those can be overruled, like security.mac.portacl.suser_exempt.
So good reason to read the man pages before you load.
--WjW
