From nobody Mon Oct 11 15:50:31 2021
X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id C5F9317F5181
	for <freebsd-hackers@mlmmj.nyi.freebsd.org>; Mon, 11 Oct 2021 15:50:40 +0000 (UTC)
	(envelope-from yuri@FreeBSD.org)
Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42])
	by mx1.freebsd.org (Postfix) with ESMTP id 4HSjtm1JsCz3L3x
	for <freebsd-hackers@FreeBSD.org>; Mon, 11 Oct 2021 15:50:40 +0000 (UTC)
	(envelope-from yuri@FreeBSD.org)
Received: from yv.noip.me (c-73-189-35-76.hsd1.ca.comcast.net [73.189.35.76])
	(authenticated bits=0)
	by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id 19BFoWNA000869
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO)
	for <freebsd-hackers@FreeBSD.org>; Mon, 11 Oct 2021 08:50:33 -0700 (PDT)
	(envelope-from yuri@FreeBSD.org)
X-Authentication-Warning: shell1.rawbw.com: Host c-73-189-35-76.hsd1.ca.comcast.net [73.189.35.76] claimed to be yv.noip.me
To: Freebsd hackers list <freebsd-hackers@FreeBSD.org>
From: Yuri <yuri@FreeBSD.org>
Subject: Possible to start the process with setuid while allowing it to listen
 on privileged ports?
Message-ID: <6e98975c-34e5-246f-5b86-700b5f847815@rawbw.com>
Date: Mon, 11 Oct 2021 08:50:31 -0700
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:78.0) Gecko/20100101
 Thunderbird/78.14.0
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-Rspamd-Queue-Id: 4HSjtm1JsCz3L3x
X-Spamd-Bar: /
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [0.00 / 15.00];
	 local_wl_from(0.00)[FreeBSD.org];
	 ASN(0.00)[asn:7961, ipnet:198.144.192.0/19, country:US]
X-ThisMailContainsUnwantedMimeParts: N

Normal way to do this is for the application to first listen on the port 
and then setuid.


My question is about the situation when the application isn't willing to 
do this.


The project author says that setuid is too difficult in Go and Linux 
allows to do this through systemd:

https://github.com/coredns/coredns/issues/4917#issuecomment-939892548


Can in FreeBSD the process be run as a regular user but still be allowed 
to bind to privileged ports?


Thanks,

Yuri