mac_portacl(4) is a FreeBSD kernel security module providing an access control policy
for permitting specific users and groups to bind to ports that would otherwise be restricted
to the super-user.
portacl-rc is an rc script that makes configuring it easier and safer.
mac_portacl(4) configuration looks something like this:
# sysrc kld_list+=mac_portacl # echo >>/etc/sysctl.conf security.mac.portacl.rules="uid:80:tcp:80,uid:80:tcp:443,uid:80:udp:443" net.inet.ip.portrange.reservedhigh=0 # kldload mac_portacl # service sysctl reload
Not too bad - but fiddlier than it ought to be, particularly as rulesets get bigger.
# pkg install security/portacl-rc # sysrc portacl_users+=www # sysrc portacl_user_www_tcp="http https" portacl_user_www_udp=https # service enable portacl # service start portacl
The rc script translates named users, groups and services for you, filters out invalid
rules (even if specified in the
portacl_additional_rules escape hatch), ensures
the ruleset fits within kernel limits, and makes sure the appropriate sysctl’s are set
in the correct order to enable or disable the policy.
Plan is to land this in the FreeBSD base system at some point.