Date: Wed, 7 Jun 2017 13:24:10 +0200 From: Fabian Keil <freebsd-listen@fabiankeil.de> To: Allan Jude <allanjude@FreeBSD.org> Cc: svn-src-all@freebsd.org Subject: Re: svn commit: r319611 - in head: sys/kern sys/sys usr.sbin/jail Message-ID: <20170607132410.39f52836@fabiankeil.de> In-Reply-To: <3D906167-AC44-4BA5-B8ED-5E793D492BC0@FreeBSD.org> References: <201706060215.v562F167035683@repo.freebsd.org> <20170606114425.126fd846@fabiankeil.de> <3D906167-AC44-4BA5-B8ED-5E793D492BC0@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_/zGMVhUxchfB7m2Cw7sqAy0e Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Allan Jude <allanjude@FreeBSD.org> wrote: > On June 6, 2017 5:44:25 AM EDT, Fabian Keil <freebsd-listen@fabiankeil.de= > wrote: > >Allan Jude <allanjude@FreeBSD.org> wrote: > > =20 > >> Author: allanjude > >> Date: Tue Jun 6 02:15:00 2017 > >> New Revision: 319611 > >> URL: https://svnweb.freebsd.org/changeset/base/319611 > >>=20 > >> Log: > >> Jails: Optionally prevent jailed root from binding to privileged =20 > >ports =20 > >> =20 > >> You may now optionally specify allow.noreserved_ports to prevent =20 > >root =20 > >> inside a jail from using privileged ports (less than 1024) > >> =20 > >> PR: 217728 > >> Submitted by: Matt Miller <mattm916@pulsar.neomailbox.ch> > >> Reviewed by: jamie, cem, smh > >> Relnotes: yes > >> Differential Revision: https://reviews.freebsd.org/D10202 > >>=20 > >> Modified: > >> head/sys/kern/kern_jail.c > >> head/sys/sys/jail.h > >> head/usr.sbin/jail/jail.8 =20 > >[...] =20 > >> @@ -611,6 +613,8 @@ with non-jailed parts of the system. > >> Sockets within a jail are normally restricted to IPv4, IPv6, local > >> (UNIX), and route. This allows access to other protocol stacks that > >> have not had jail functionality added to them. > >> +.It Va allow.reserved_ports > >> +The jail root may bind to ports lower than 1024. =20 > > > >This description seems to imply that net.inet.ip.portrange.reservedhigh > >isn't honoured while it actually is. =20 > I think the confusion here is: this option prevents root > in the jail from using reserved ports. Nonroot users are > always restricted I understand that. My point is the man page addition suggests that the reserved port range end is hard coded while the actual end can be changed with net.inet.ip.portrange.reservedhigh. Fabian --Sig_/zGMVhUxchfB7m2Cw7sqAy0e Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQTKUNd6H/m3+ByGULIFiohV/3dUnQUCWTfiWgAKCRAFiohV/3dU nZ/VAKCpptWi0vM2g/gKVGUnmZhqqZxGbgCgzPGICvz5hVl4oQTLP+56qaMpSVI= =SeLC -----END PGP SIGNATURE----- --Sig_/zGMVhUxchfB7m2Cw7sqAy0e--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170607132410.39f52836>