From nobody Mon Oct 11 16:21:46 2021
X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 00A7A18021DA
	for <freebsd-hackers@mlmmj.nyi.freebsd.org>; Mon, 11 Oct 2021 16:21:58 +0000 (UTC)
	(envelope-from yuri@aetern.org)
Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com [64.147.123.24])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4HSkZs0LNVz3mHq
	for <freebsd-hackers@FreeBSD.org>; Mon, 11 Oct 2021 16:21:56 +0000 (UTC)
	(envelope-from yuri@aetern.org)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
	by mailout.west.internal (Postfix) with ESMTP id DA8E63200D78
	for <freebsd-hackers@FreeBSD.org>; Mon, 11 Oct 2021 12:21:49 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162])
  by compute4.internal (MEProxy); Mon, 11 Oct 2021 12:21:49 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aetern.org; h=
	message-id:date:mime-version:subject:to:references:from
	:in-reply-to:content-type:content-transfer-encoding; s=fm1; bh=n
	FC9M4Xost6bUkUuIPw6uTxHyeyjkonxDf76Ww3HPIc=; b=mOeJwQbt+2b2shYcr
	O2KhIWnaPFgh8pnp1BQ3hjGotvfVRXhLpyfsUyXK0OW5SD2abDTg9raYMSyjqYff
	aIL/xOpnAzhfz4vYDZMK9uktqMawmKUZjIX6Nt4lJj85lSeuAsFC75hxLtw6Kh2Z
	ZvKrhihLZOK2bS3vFMjcKS8HgAas+TgAFt8+9zqSRBISvjZfP1vwqKBwSRn2nbZ7
	8W05TOn4rBcrD0lbWYgl1R7QSCNBVc64PhD4A8QvvQ190kAZnCTDAZ44eYY2MnNT
	tNOhb5LsQVLC6PogUKhkCuJR+coLuskGeaNqhMG4CzLPRG4vTlftFrE2AF0CPeXu
	v1hdw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=content-transfer-encoding:content-type
	:date:from:in-reply-to:message-id:mime-version:references
	:subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
	:x-sasl-enc; s=fm1; bh=nFC9M4Xost6bUkUuIPw6uTxHyeyjkonxDf76Ww3HP
	Ic=; b=deVPh8VPHJ3HoiHkLjadEwMogFRZF4vaTQrIm22zVHCFdgXXTLw96pINQ
	RUFK5feqqE1k4dvsIQFr6nr5BQgx3A2HsvZXIHjm/EiPKnrfmjwSBbe6KD0abl3u
	N6JFcy8cqPlTWdXe3dfbCrZX+qmzD1iQJ5wn+AfDkvcrIavTepsX4mgJTg9MkXao
	3nALYegDj+8qHk2anJlUUIxY0BzCBxe0/3D9QabwA/QHWNnEHS5B9exg2VsDIxC+
	gvIc/GW0XnURu6dAxDMyno5okw+6STG3P+66pgqA8OQgKyWXoqN1YldGvG5ayDiO
	wfvvdcwpHv54FT5juzAoLT/AL0+5w==
X-ME-Sender: <xms:nWRkYYf9iNxtiAxybLsa4UmGGIRZ4CTFGEcrWn0OsXAUZGAtEyd9_Q>
    <xme:nWRkYaNYhQwhucSSadILDKyX8LjvxpxDAjoA0NuuH56UJShe2RdBsolEKwrLVM0pL
    Ti1mFoT5t8Ev7kFcRU>
X-ME-Received: <xmr:nWRkYZiHDSp5lY9DTEzSv_5Y5sxb3MquEB6MlG6joS55WYj_CU_J6AEue13N9QG4RVA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrvddtiedgleegucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
    cujfgurhepkfffgggfuffvfhfhjggtgfesthejredttdefjeenucfhrhhomhepjghurhhi
    uceohihurhhisegrvghtvghrnhdrohhrgheqnecuggftrfgrthhtvghrnhepueelgfeufe
    dtvdeiveektdejueekgffgvedtteettdeuleeuudffvedukeekudfgnecuffhomhgrihhn
    pehgihhthhhusgdrtghomhenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmh
    grihhlfhhrohhmpeihuhhrihesrggvthgvrhhnrdhorhhg
X-ME-Proxy: <xmx:nWRkYd-3mCTOPEmJx-0lkSpv2JdYnWkmjXrlft69G4z066vBw7s3mA>
    <xmx:nWRkYUtoEOoMb0100FwTI1AiYNRYXGpgxVnWgMTyp042tThh9s4jqg>
    <xmx:nWRkYUFmuhbuMVZyJ7M53OAWKZ__XBFtkDLzFwAvz5LuUWWVc8n9Tg>
    <xmx:nWRkYd7ckOtDSD6GmTudSgfdYQxXNqfWnYj88ZOW8IpW0odBQJ-hRw>
Received: by mail.messagingengine.com (Postfix) with ESMTPA for
 <freebsd-hackers@FreeBSD.org>; Mon, 11 Oct 2021 12:21:48 -0400 (EDT)
Message-ID: <fe2be9d9-471d-7771-2688-47f5e7ee36f5@aetern.org>
Date: Mon, 11 Oct 2021 19:21:46 +0300
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@freebsd.org
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101
 Thunderbird/91.2.0
Subject: Re: Possible to start the process with setuid while allowing it to
 listen on privileged ports?
Content-Language: en-US
To: Freebsd hackers list <freebsd-hackers@FreeBSD.org>
References: <6e98975c-34e5-246f-5b86-700b5f847815@rawbw.com>
From: Yuri <yuri@aetern.org>
In-Reply-To: <6e98975c-34e5-246f-5b86-700b5f847815@rawbw.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4HSkZs0LNVz3mHq
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=aetern.org header.s=fm1 header.b=mOeJwQbt;
	dkim=pass header.d=messagingengine.com header.s=fm1 header.b=deVPh8VP;
	dmarc=none;
	spf=pass (mx1.freebsd.org: domain of yuri@aetern.org designates 64.147.123.24 as permitted sender) smtp.mailfrom=yuri@aetern.org
X-Spamd-Result: default: False [-3.59 / 15.00];
	 RCVD_VIA_SMTP_AUTH(0.00)[];
	 R_SPF_ALLOW(-0.20)[+ip4:64.147.123.24];
	 RCVD_COUNT_THREE(0.00)[4];
	 TO_DN_ALL(0.00)[];
	 DKIM_TRACE(0.00)[aetern.org:+,messagingengine.com:+];
	 NEURAL_HAM_SHORT(-1.00)[-0.996];
	 FROM_EQ_ENVFROM(0.00)[];
	 MIME_TRACE(0.00)[0:+];
	 SUBJECT_ENDS_QUESTION(1.00)[];
	 ASN(0.00)[asn:11403, ipnet:64.147.123.0/24, country:US];
	 RCVD_TLS_LAST(0.00)[];
	 MID_RHS_MATCH_FROM(0.00)[];
	 RCVD_IN_DNSWL_LOW(-0.10)[64.147.123.24:from];
	 ARC_NA(0.00)[];
	 NEURAL_HAM_MEDIUM(-0.99)[-0.995];
	 R_DKIM_ALLOW(-0.20)[aetern.org:s=fm1,messagingengine.com:s=fm1];
	 FREEFALL_USER(0.00)[yuri];
	 FROM_HAS_DN(0.00)[];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 NEURAL_HAM_LONG(-1.00)[-1.000];
	 MIME_GOOD(-0.10)[text/plain];
	 PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org];
	 DMARC_NA(0.00)[aetern.org];
	 RCPT_COUNT_ONE(0.00)[1];
	 DWL_DNSWL_LOW(-1.00)[messagingengine.com:dkim];
	 RWL_MAILSPIKE_POSSIBLE(0.00)[64.147.123.24:from]
X-ThisMailContainsUnwantedMimeParts: N

Yuri wrote:
> Normal way to do this is for the application to first listen on the port
> and then setuid.
> 
> 
> My question is about the situation when the application isn't willing to
> do this.
> 
> 
> The project author says that setuid is too difficult in Go and Linux
> allows to do this through systemd:
> 
> https://github.com/coredns/coredns/issues/4917#issuecomment-939892548
> 
> 
> Can in FreeBSD the process be run as a regular user but still be allowed
> to bind to privileged ports?

Quoting ip(4):
---
The range of privileged ports which only may be opened by root-owned
processes may be modified by the net.inet.ip.portrange.reservedlow and
net.inet.ip.portrange.reservedhigh sysctl settings.  The values default
to the traditional range, 0 through IPPORT_RESERVED-1 (0 through 1023),
respectively.  Note that these settings do not affect and are not
accounted for in the use or calculation of the other
net.inet.ip.portrange values above.  Changing these values departs from
UNIX tradition and has security consequences that the administrator
should carefully evaluate before modifying these settings.
---