From nobody Mon Oct 11 16:24:37 2021
X-Original-To: freebsd-hackers@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 444171804D33
	for <freebsd-hackers@mlmmj.nyi.freebsd.org>; Mon, 11 Oct 2021 16:24:44 +0000 (UTC)
	(envelope-from maxim@maxim.int.ru)
Received: from maxim.int.ru (maxim.int.ru [167.71.75.67])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "maxim.int.ru", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4HSkf40BXNz3pBx;
	Mon, 11 Oct 2021 16:24:43 +0000 (UTC)
	(envelope-from maxim@maxim.int.ru)
Received: from localhost (maxim@localhost [127.0.0.1])
	by maxim.int.ru (8.16.1/8.16.1) with ESMTPS id 19BGObBk080222
	(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO);
	Mon, 11 Oct 2021 16:24:37 GMT
	(envelope-from maxim@maxim.int.ru)
Date: Mon, 11 Oct 2021 16:24:37 +0000 (UTC)
From: Maxim Konovalov <maxim@maxim.int.ru>
To: Yuri <yuri@FreeBSD.org>
cc: Freebsd hackers list <freebsd-hackers@FreeBSD.org>
Subject: Re: Possible to start the process with setuid while allowing it to
 listen on privileged ports?
In-Reply-To: <6e98975c-34e5-246f-5b86-700b5f847815@rawbw.com>
Message-ID: <dbfaf2da-4be0-2c64-47e-30c2e2bc33f1@maxim.int.ru>
References: <6e98975c-34e5-246f-5b86-700b5f847815@rawbw.com>
List-Id: Technical discussions relating to FreeBSD <freebsd-hackers.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-hackers
List-Help: <mailto:freebsd-hackers+help@freebsd.org>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Subscribe: <mailto:freebsd-hackers+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-hackers+unsubscribe@freebsd.org>
Sender: owner-freebsd-hackers@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
X-Rspamd-Queue-Id: 4HSkf40BXNz3pBx
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-4.00 / 15.00];
	 REPLY(-4.00)[]
X-ThisMailContainsUnwantedMimeParts: N

On Mon, 11 Oct 2021, 08:50-0700, Yuri wrote:

> Normal way to do this is for the application to first listen on the port and
> then setuid.
>
> My question is about the situation when the application isn't willing to do
> this.
>
> The project author says that setuid is too difficult in Go and Linux allows to
> do this through systemd:
>
> https://github.com/coredns/coredns/issues/4917#issuecomment-939892548
>
> Can in FreeBSD the process be run as a regular user but still be allowed to
> bind to privileged ports?
>
This could be possible to implement with mac_portacl(4).

-- 
Maxim Konovalov