Date: Wed, 22 Jun 2005 18:08:41 +0200 From: Marco Molteni <molter@tin.it> To: xtremejames183@msn.com, freebsd-net@freebsd.org Subject: Re: www user than root Message-ID: <20050622180841.56be8f27.molter@tin.it> In-Reply-To: <20050622151406.GG791@empiric.icir.org> References: <BAY11-F12EF48C9216082BFB35A7B9CEB0@phx.gbl> <20050622151406.GG791@empiric.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 22 Jun 2005 16:14:06 +0100 Bruce M Simpson <bms@spc.org> wrote: > On Wed, Jun 22, 2005 at 05:01:17PM +0200, Mrad James Deane wrote: > > hello i want to know how the www user with uid:80 can print on a > > priviliged port like 80 rather the root user im very in trouble i > > did not find a solution yet mac_portacl is one but it is very > > experimental please help. thanks > > I think you may have meant 'bind' rather than 'print' here? > > Anyway, the way they used to do this back in the day on Linux at least > was to hack the socket code to allow binds to privileged ports by > certain users/groups rather than relying solely on the super-user > check. > > You could do something like this in FreeBSD 5-STABLE by hacking the > in_pcbbind_setup() function in src/sys/netinet/in_pcb.c to not just > call suser_cred(), but to instead perform a group check, by calling > groupmember(some_privileged_socket_group, cred). I think that the following sysctls do the trick molter@gattaccio[~]$ sysctl net|grep reserv net.inet.ip.portrange.reservedhigh: 1023 net.inet.ip.portrange.reservedlow: 0 marco
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050622180841.56be8f27.molter>