From owner-freebsd-net@FreeBSD.ORG  Wed Jun 22 16:09:40 2005
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EEEA816A41C
	for <freebsd-net@freebsd.org>; Wed, 22 Jun 2005 16:09:40 +0000 (GMT)
	(envelope-from molter@tin.it)
Received: from vsmtp12.tin.it (vsmtp12.tin.it [212.216.176.206])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9783843D55
	for <freebsd-net@freebsd.org>; Wed, 22 Jun 2005 16:09:40 +0000 (GMT)
	(envelope-from molter@tin.it)
Received: from gattaccio.codalunga (82.122.224.189) by vsmtp12.tin.it
	(7.0.027) (authenticated as molter@tin.it)
	id 429D6B560084DBBD; Wed, 22 Jun 2005 18:09:38 +0200
Received: by gattaccio.codalunga (Postfix, from userid 1001)
	id 2E42CC4C9; Wed, 22 Jun 2005 18:08:41 +0200 (CEST)
Date: Wed, 22 Jun 2005 18:08:41 +0200
From: Marco Molteni <molter@tin.it>
To: xtremejames183@msn.com, freebsd-net@freebsd.org
Message-Id: <20050622180841.56be8f27.molter@tin.it>
In-Reply-To: <20050622151406.GG791@empiric.icir.org>
References: <BAY11-F12EF48C9216082BFB35A7B9CEB0@phx.gbl>
	<20050622151406.GG791@empiric.icir.org>
X-Mailer: Sylpheed version 1.0.4 (GTK+ 1.2.10; i386-portbld-freebsd6.0)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Cc: 
Subject: Re: www user than root
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jun 2005 16:09:41 -0000

On Wed, 22 Jun 2005 16:14:06 +0100
Bruce M Simpson <bms@spc.org> wrote:

> On Wed, Jun 22, 2005 at 05:01:17PM +0200, Mrad James Deane wrote:
> > hello i want to know how the www user with uid:80 can print on a
> > priviliged  port like 80 rather the root user  im very in trouble i
> > did not find a  solution yet mac_portacl is one but it is very
> > experimental please help. thanks
> 
> I think you may have meant 'bind' rather than 'print' here?
> 
> Anyway, the way they used to do this back in the day on Linux at least
> was to hack the socket code to allow binds to privileged ports by
> certain users/groups rather than relying solely on the super-user
> check.
> 
> You could do something like this in FreeBSD 5-STABLE by hacking the
> in_pcbbind_setup() function in src/sys/netinet/in_pcb.c to not just
> call suser_cred(), but to instead perform a group check, by calling
> groupmember(some_privileged_socket_group, cred).

I think that the following sysctls do the trick

molter@gattaccio[~]$ sysctl net|grep reserv
net.inet.ip.portrange.reservedhigh: 1023
net.inet.ip.portrange.reservedlow: 0

marco