Bind to port <1024 in jail
Eugene Grosbein
eugen at grosbein.net
Mon Aug 20 15:15:25 UTC 2018
20.08.2018 22:02, Stefan Bethke wrote:
>> The trick is that mac_portacl provides a way to selectively give permission for non-root UID
>> to bind low ports:
>>
>> security.mac.portacl.rules=uid:88:tcp:80,uid:88:tcp:443,uid:53:tcp:53,uid:53:udp:53
>>
>> It works just fine for a host and I use it for name servers utilizing port 53
>> for a box with dynamically created interfaces, so it may bind the port for distinct IP addresses
>> after it dropped privilegies when new interface is created and get new IP assigned.
>>
>> I have not tried it for a jails, though. Please try and respond.
>
> Thanks, but do I understand correctly that the security.mac.portacl.rules are system-wide and not per-jail?
It seems so. It is small kernel module and it should not be so hard to make it VNET-aware
for one already familiar with the code. You may want to fill a PR for that,
so it would became possible to have per-jail settings for VIMAGE-enabled jails.
More information about the freebsd-stable
mailing list