Module name: mac_portacl.ko
Kernel configuration line:
MAC_PORTACL
Boot option:
mac_portacl_load="YES"
The mac_portacl(4) module is used to limit binding to
local TCP and UDP ports
using a variety of sysctl
variables.
mac_portacl(4) makes it possible to allow
non-root
users to bind to specified
privileged ports below 1024.
Once loaded, this module enables the MAC policy on all sockets. The following tunables are available:
security.mac.portacl.enabled
enables or disables the policy completely.
security.mac.portacl.port_high
sets the highest port number that mac_portacl(4)
protects.
security.mac.portacl.suser_exempt
,
when set to a non-zero value, exempts the
root
user from this policy.
security.mac.portacl.rules
specifies the mac_portacl policy, which is a text string of
the form: rule[,rule,...]
with as many
rules as needed. Each rule is of the form:
idtype:id:protocol:port
. The
idtype
parameter can be
uid
or gid
and is used
to interpret the id
parameter as
either a user id or group id, respectively. The
protocol
parameter is used to
determine if the rule should apply to TCP
or UDP by setting the parameter to
tcp
or udp
. The final
port
parameter is the port number to
allow the specified user or group to bind to.
Since the ruleset is interpreted directly by the kernel, only numeric values can be used for the user ID, group ID, and port parameters. Names cannot be used for users, groups, or services.
By default, ports below 1024 can only be used by or bound
to privileged processes, which run as
root
. For mac_portacl(4) to allow
non-privileged processes to bind to ports below 1024, this
restriction has to be disabled by setting the sysctl(8)
variables
net.inet.ip.portrange.reservedlow
and
net.inet.ip.portrange.reservedhigh
to
zero:
#
sysctl security.mac.portacl.port_high=1023
#
sysctl net.inet.ip.portrange.reservedlow=0
net.inet.ip.portrange.reservedhigh=0
See the examples below or refer to mac_portacl(4) for further information.
Since the root
user should not be
crippled by this policy, this example starts by setting the
security.mac.portacl.suser_exempt
to a
non-zero value.
#
sysctl security.mac.portacl.suser_exempt=1
Next, allow the user with UID 80
to bind to port 80. This allows the www
user to run a web server without ever having
root
privilege.
#
sysctl security.mac.portacl.rules=uid:80:tcp:80
The next example permits the user with the UID of 1001 to bind to the TCP ports 110 (“pop3”) and 995 (“pop3s”). This permits this user to start a server that accepts connections on ports 110 and 995.
#
sysctl security.mac.portacl.rules=uid:1001:tcp:110,uid:1001:tcp:995
All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.