Re: Bind to port <1024 in jail
21.08.2018 1:37, Charles Sprickman via freebsd-stable wrote: > I am so behind on all the new toys in the system. I was very embarrassed > to find out about this feature from someone who’s primarily working > with Linux in his day job. He was just looking to bind an Elixir app to > 80/443 > without running as root and he shared this: > > security.mac.portacl.rules=gid:2001:tcp:80,gid:2001:tcp:443 > > We stuck that in sysctl.conf and that was that. This is not so new: mac_portacl is here since 8.0-RELEASE. > I wish FreeBSD still had the evangelism folks that would go out and > tell the userbase and anyone else that would listen about all the cool > new stuff. :) Well, we still have Release Notes for every major or minor release. Get a habit reading it once a release and you'll know it all. ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Bind to port <1024 in jail
> On Aug 20, 2018, at 11:04 AM, Ian Lepore wrote: > > On Mon, 2018-08-20 at 16:47 +0200, Stefan Bethke wrote: >> I have a Go program (acme-dns) that wants to bind 53, 80, and 443, >> and I´d rather have it run as a non-privileged user. The program >> doesn´t provide a facility to drop privs after binding the ports. I´m >> planning to run it in a jail. >> >> After some googling, it appears that a couple of years ago I should >> have been able to do: >> sysctl net.inet.ip.portrange.reservedhigh=0 >> and allow all processes to bind to „low“ ports. This does not work in >> my jails on a 11-stable host. >> >> $ sudo sysctl net.inet.ip.portrange.reservedhigh=0 >> net.inet.ip.portrange.reservedhigh: 1023 >> sysctl: net.inet.ip.portrange.reservedhigh=0: Operation not permitted >> >> Securelevel should not interfere: >> $ sysctl kern.securelevel >> kern.securelevel: -1 >> >> Is there a way to allow regular processes to bind to low ports? >> >> >> Stefan >> > > You might be able to set up a specific local userid for this process, > then use mac_portacl(4) to allow it to bind to those ports. I'm not > certain that works inside a jail, however. I am so behind on all the new toys in the system. I was very embarrassed to find out about this feature from someone who’s primarily working with Linux in his day job. He was just looking to bind an Elixir app to 80/443 without running as root and he shared this: security.mac.portacl.rules=gid:2001:tcp:80,gid:2001:tcp:443 We stuck that in sysctl.conf and that was that. I wish FreeBSD still had the evangelism folks that would go out and tell the userbase and anyone else that would listen about all the cool new stuff. :) Charles > > -- Ian > ___ > freebsd-stable@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Bind to port <1024 in jail
> Am 20.08.2018 um 18:32 schrieb Bjoern A. Zeeb > : > > On 20 Aug 2018, at 16:22, Stefan Bethke wrote: > Is there a way to allow regular processes to bind to low ports? >>> >>> you have to set it on the base system; alternatively with vnet you might >>> be able to change it per-jail. >> >> Do you feel it’s OK to enable VIMAGE in -stable? When I tried last in 2016, >> I had stability issues, I think related to pf. > > “If you know what you are doing it won’t panic” ;-) I think with 12 I’d be > a lot more confident about stability. Most fixes could not and were not > MFCed. OK then, should I move to -current and try there? I’ve not tracked -current on a production box in years (I think the last time was around 3 or 4), but I’m willing to give it a go, seeing that the code freeze is about to start. Stefan -- Stefan BethkeFon +49 151 14070811 ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Bind to port <1024 in jail
20.08.2018 23:22, Stefan Bethke wrote: > Do you feel it’s OK to enable VIMAGE in -stable? When I tried last in 2016, I > had stability issues, I think related to pf. It is already in HEAD's GENERIC and will be in 12.0-RELEASE soon, so in -stable too. I use it with stable/11 without problems but I do not use pf. ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Bind to port <1024 in jail
On 20 Aug 2018, at 16:22, Stefan Bethke wrote: Is there a way to allow regular processes to bind to low ports? you have to set it on the base system; alternatively with vnet you might be able to change it per-jail. Do you feel it’s OK to enable VIMAGE in -stable? When I tried last in 2016, I had stability issues, I think related to pf. “If you know what you are doing it won’t panic” ;-) I think with 12 I’d be a lot more confident about stability. Most fixes could not and were not MFCed. /bz ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Bind to port <1024 in jail
> Am 20.08.2018 um 16:59 schrieb Bjoern A. Zeeb > : > > On 20 Aug 2018, at 14:47, Stefan Bethke wrote: > >> I have a Go program (acme-dns) that wants to bind 53, 80, and 443, and I’d >> rather have it run as a non-privileged user. The program doesn’t provide a >> facility to drop privs after binding the ports. I’m planning to run it in a >> jail. >> >> After some googling, it appears that a couple of years ago I should have >> been able to do: >> sysctl net.inet.ip.portrange.reservedhigh=0 >> and allow all processes to bind to „low“ ports. This does not work in my >> jails on a 11-stable host. >> >> $ sudo sysctl net.inet.ip.portrange.reservedhigh=0 >> net.inet.ip.portrange.reservedhigh: 1023 >> sysctl: net.inet.ip.portrange.reservedhigh=0: Operation not permitted >> >> Securelevel should not interfere: >> $ sysctl kern.securelevel >> kern.securelevel: -1 >> >> Is there a way to allow regular processes to bind to low ports? > > you have to set it on the base system; alternatively with vnet you might be > able to change it per-jail. Do you feel it’s OK to enable VIMAGE in -stable? When I tried last in 2016, I had stability issues, I think related to pf. Stefan -- Stefan BethkeFon +49 151 14070811 ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Bind to port <1024 in jail
20.08.2018 22:02, Stefan Bethke wrote: >> The trick is that mac_portacl provides a way to selectively give permission >> for non-root UID >> to bind low ports: >> >> security.mac.portacl.rules=uid:88:tcp:80,uid:88:tcp:443,uid:53:tcp:53,uid:53:udp:53 >> >> It works just fine for a host and I use it for name servers utilizing port 53 >> for a box with dynamically created interfaces, so it may bind the port for >> distinct IP addresses >> after it dropped privilegies when new interface is created and get new IP >> assigned. >> >> I have not tried it for a jails, though. Please try and respond. > > Thanks, but do I understand correctly that the security.mac.portacl.rules are > system-wide and not per-jail? It seems so. It is small kernel module and it should not be so hard to make it VNET-aware for one already familiar with the code. You may want to fill a PR for that, so it would became possible to have per-jail settings for VIMAGE-enabled jails. ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Bind to port <1024 in jail
On Mon, 2018-08-20 at 17:02 +0200, Stefan Bethke wrote: > Am 20.08.2018 um 16:59 schrieb Eugene Grosbein : > > > > > > 20.08.2018 21:47, Stefan Bethke wrote: > > > > > > > > I have a Go program (acme-dns) that wants to bind 53, 80, and > > > 443, and I’d rather have it run as a non-privileged user. The > > > program doesn’t provide a facility to drop privs after binding > > > the ports. I’m planning to run it in a jail. > > > > > > After some googling, it appears that a couple of years ago I > > > should have been able to do: > > > sysctl net.inet.ip.portrange.reservedhigh=0 > > > and allow all processes to bind to „low“ ports. This does not > > > work in my jails on a 11-stable host. > > > > > > $ sudo sysctl net.inet.ip.portrange.reservedhigh=0 > > > net.inet.ip.portrange.reservedhigh: 1023 > > > sysctl: net.inet.ip.portrange.reservedhigh=0: Operation not > > > permitted > > > > > > Securelevel should not interfere: > > > $ sysctl kern.securelevel > > > kern.securelevel: -1 > > > > > > Is there a way to allow regular processes to bind to low ports? > > Yes. Just use mac_portacl kernel module: kldload mac_portacl > > > > Once loaded, it duplicates net.inet.ip.portrange.reservedhigh > > protection > > with its own security.mac.portacl.port_high, so it's safe to > > disable > > "reservedhigh" for whole system by running sysctl > > net.inet.ip.portrange.reservedhigh=0 > > for host. > > > > The trick is that mac_portacl provides a way to selectively give > > permission for non-root UID > > to bind low ports: > > > > security.mac.portacl.rules=uid:88:tcp:80,uid:88:tcp:443,uid:53:tcp: > > 53,uid:53:udp:53 > > > > It works just fine for a host and I use it for name servers > > utilizing port 53 > > for a box with dynamically created interfaces, so it may bind the > > port for distinct IP addresses > > after it dropped privilegies when new interface is created and get > > new IP assigned. > > > > I have not tried it for a jails, though. Please try and respond. > Thanks, but do I understand correctly that the > security.mac.portacl.rules are system-wide and not per-jail? > > I’m running ~10 jails on this host, and I don’t want to allow all of > them to bind to low ports. > Portacls are configure by userid. Just create a local userid that is dedicated to this one process that runs in the one jail, and only it (and root of course) would be able to bind to those ports. -- Ian ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Bind to port <1024 in jail
20.08.2018 21:47, Stefan Bethke wrote: > I have a Go program (acme-dns) that wants to bind 53, 80, and 443, and I’d > rather have it run as a non-privileged user. The program doesn’t provide a > facility to drop privs after binding the ports. I’m planning to run it in a > jail. > > After some googling, it appears that a couple of years ago I should have been > able to do: > sysctl net.inet.ip.portrange.reservedhigh=0 > and allow all processes to bind to „low“ ports. This does not work in my > jails on a 11-stable host. > > $ sudo sysctl net.inet.ip.portrange.reservedhigh=0 > net.inet.ip.portrange.reservedhigh: 1023 > sysctl: net.inet.ip.portrange.reservedhigh=0: Operation not permitted > > Securelevel should not interfere: > $ sysctl kern.securelevel > kern.securelevel: -1 > > Is there a way to allow regular processes to bind to low ports? Yes. Just use mac_portacl kernel module: kldload mac_portacl Once loaded, it duplicates net.inet.ip.portrange.reservedhigh protection with its own security.mac.portacl.port_high, so it's safe to disable "reservedhigh" for whole system by running sysctl net.inet.ip.portrange.reservedhigh=0 for host. The trick is that mac_portacl provides a way to selectively give permission for non-root UID to bind low ports: security.mac.portacl.rules=uid:88:tcp:80,uid:88:tcp:443,uid:53:tcp:53,uid:53:udp:53 It works just fine for a host and I use it for name servers utilizing port 53 for a box with dynamically created interfaces, so it may bind the port for distinct IP addresses after it dropped privilegies when new interface is created and get new IP assigned. I have not tried it for a jails, though. Please try and respond. ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Bind to port <1024 in jail
On Mon, 2018-08-20 at 16:47 +0200, Stefan Bethke wrote: > I have a Go program (acme-dns) that wants to bind 53, 80, and 443, > and I’d rather have it run as a non-privileged user. The program > doesn’t provide a facility to drop privs after binding the ports. I’m > planning to run it in a jail. > > After some googling, it appears that a couple of years ago I should > have been able to do: > sysctl net.inet.ip.portrange.reservedhigh=0 > and allow all processes to bind to „low“ ports. This does not work in > my jails on a 11-stable host. > > $ sudo sysctl net.inet.ip.portrange.reservedhigh=0 > net.inet.ip.portrange.reservedhigh: 1023 > sysctl: net.inet.ip.portrange.reservedhigh=0: Operation not permitted > > Securelevel should not interfere: > $ sysctl kern.securelevel > kern.securelevel: -1 > > Is there a way to allow regular processes to bind to low ports? > > > Stefan > You might be able to set up a specific local userid for this process, then use mac_portacl(4) to allow it to bind to those ports. I'm not certain that works inside a jail, however. -- Ian ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Bind to port <1024 in jail
Am 20.08.2018 um 16:59 schrieb Eugene Grosbein : > > 20.08.2018 21:47, Stefan Bethke wrote: > >> I have a Go program (acme-dns) that wants to bind 53, 80, and 443, and I’d >> rather have it run as a non-privileged user. The program doesn’t provide a >> facility to drop privs after binding the ports. I’m planning to run it in a >> jail. >> >> After some googling, it appears that a couple of years ago I should have >> been able to do: >> sysctl net.inet.ip.portrange.reservedhigh=0 >> and allow all processes to bind to „low“ ports. This does not work in my >> jails on a 11-stable host. >> >> $ sudo sysctl net.inet.ip.portrange.reservedhigh=0 >> net.inet.ip.portrange.reservedhigh: 1023 >> sysctl: net.inet.ip.portrange.reservedhigh=0: Operation not permitted >> >> Securelevel should not interfere: >> $ sysctl kern.securelevel >> kern.securelevel: -1 >> >> Is there a way to allow regular processes to bind to low ports? > > Yes. Just use mac_portacl kernel module: kldload mac_portacl > > Once loaded, it duplicates net.inet.ip.portrange.reservedhigh protection > with its own security.mac.portacl.port_high, so it's safe to disable > "reservedhigh" for whole system by running sysctl > net.inet.ip.portrange.reservedhigh=0 > for host. > > The trick is that mac_portacl provides a way to selectively give permission > for non-root UID > to bind low ports: > > security.mac.portacl.rules=uid:88:tcp:80,uid:88:tcp:443,uid:53:tcp:53,uid:53:udp:53 > > It works just fine for a host and I use it for name servers utilizing port 53 > for a box with dynamically created interfaces, so it may bind the port for > distinct IP addresses > after it dropped privilegies when new interface is created and get new IP > assigned. > > I have not tried it for a jails, though. Please try and respond. Thanks, but do I understand correctly that the security.mac.portacl.rules are system-wide and not per-jail? I’m running ~10 jails on this host, and I don’t want to allow all of them to bind to low ports. Stefan -- Stefan BethkeFon +49 151 14070811 ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: Bind to port <1024 in jail
On 20 Aug 2018, at 14:47, Stefan Bethke wrote: I have a Go program (acme-dns) that wants to bind 53, 80, and 443, and I’d rather have it run as a non-privileged user. The program doesn’t provide a facility to drop privs after binding the ports. I’m planning to run it in a jail. After some googling, it appears that a couple of years ago I should have been able to do: sysctl net.inet.ip.portrange.reservedhigh=0 and allow all processes to bind to „low“ ports. This does not work in my jails on a 11-stable host. $ sudo sysctl net.inet.ip.portrange.reservedhigh=0 net.inet.ip.portrange.reservedhigh: 1023 sysctl: net.inet.ip.portrange.reservedhigh=0: Operation not permitted Securelevel should not interfere: $ sysctl kern.securelevel kern.securelevel: -1 Is there a way to allow regular processes to bind to low ports? you have to set it on the base system; alternatively with vnet you might be able to change it per-jail. /bz ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
