Bind to port <1024 in jail
Ian Lepore
ian at freebsd.org
Mon Aug 20 15:04:54 UTC 2018
On Mon, 2018-08-20 at 16:47 +0200, Stefan Bethke wrote:
> I have a Go program (acme-dns) that wants to bind 53, 80, and 443,
> and I’d rather have it run as a non-privileged user. The program
> doesn’t provide a facility to drop privs after binding the ports. I’m
> planning to run it in a jail.
>
> After some googling, it appears that a couple of years ago I should
> have been able to do:
> sysctl net.inet.ip.portrange.reservedhigh=0
> and allow all processes to bind to „low“ ports. This does not work in
> my jails on a 11-stable host.
>
> $ sudo sysctl net.inet.ip.portrange.reservedhigh=0
> net.inet.ip.portrange.reservedhigh: 1023
> sysctl: net.inet.ip.portrange.reservedhigh=0: Operation not permitted
>
> Securelevel should not interfere:
> $ sysctl kern.securelevel
> kern.securelevel: -1
>
> Is there a way to allow regular processes to bind to low ports?
>
>
> Stefan
>
You might be able to set up a specific local userid for this process,
then use mac_portacl(4) to allow it to bind to those ports. I'm not
certain that works inside a jail, however.
-- Ian
More information about the freebsd-stable
mailing list