20.08.2018 22:02, Stefan Bethke wrote: >> The trick is that mac_portacl provides a way to selectively give permission >> for non-root UID >> to bind low ports: >> >> security.mac.portacl.rules=uid:88:tcp:80,uid:88:tcp:443,uid:53:tcp:53,uid:53:udp:53 >> >> It works just fine for a host and I use it for name servers utilizing port 53 >> for a box with dynamically created interfaces, so it may bind the port for >> distinct IP addresses >> after it dropped privilegies when new interface is created and get new IP >> assigned. >> >> I have not tried it for a jails, though. Please try and respond. > > Thanks, but do I understand correctly that the security.mac.portacl.rules are > system-wide and not per-jail?
It seems so. It is small kernel module and it should not be so hard to make it VNET-aware for one already familiar with the code. You may want to fill a PR for that, so it would became possible to have per-jail settings for VIMAGE-enabled jails. _______________________________________________ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
