Hi! FYI;- I've noticed spamd & spamlogd open their high ports as root.
These pf rules work, changing to 'user _spamd' doesn't: pass in on $ext_if inet proto udp \ from $ext_if:network port > 1023 \ to $ext_if:0 port spamd-sync \ user root pass out on $ext_if inet proto udp \ from $ext_if:0 port > 1023 \ to $ext_if:network port spamd-sync \ user root $ fstat -u _spamd | fgrep internet _spamd spamlogd 2861 4* internet dgram udp *:12412 _spamd spamd 1408 3* internet stream tcp 0x0 *:8025 _spamd spamd 1408 4* internet stream tcp 0x0 127.0.0.1:8026 _spamd spamd 1408 5* internet dgram udp 78.33.153.147:8025 _spamd spamd 11154 3* internet stream tcp 0x0 *:8025 _spamd spamd 11154 4* internet stream tcp 0x0 127.0.0.1:8026 _spamd spamd 11154 5* internet dgram udp 78.33.153.147:8025 _spamd spamd 11452 3* internet stream tcp 0x0 *:8025 _spamd spamd 11452 4* internet stream tcp 0x0 127.0.0.1:8026 _spamd spamd 11452 5* internet dgram udp 78.33.153.147:8025 This box syslogs: Dec 18 15:13:25 palm spamd[1408]: new WHITE from 78.33.153.148 for 208.70.245.125, expires 1453562006 The WHITE would be from spamlogd sending to UDP 8025 as root due to the pf rules above for that port require root to function. The source files show all the sockets are opened before priv drop. As the ports are above 1023, is this necessary? - I'm not a C coder... The more recent commit logs & source don't seem to have changed in this regard from: $ head -n 5 /var/run/dmesg.boot OpenBSD 5.7 (GENERIC) #738: Sun Mar 8 10:59:31 MDT 2015 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium II ("GenuineIntel" 686-class, 512KB L2 cache) 349 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PSE36,MMX,FXSR,PERF real mem = 267849728 (255MB)