's bl.aagh

BSD, Ruby, Rust, Rambling


FreeBSD mac_portacl(4) rc script

[shell] [bsd]

mac_portacl(4) is a FreeBSD kernel security module providing an access control policy for permitting specific users and groups to bind to ports that would otherwise be restricted to the super-user.

portacl-rc is an rc script that makes configuring it easier and safer.

Traditional mac_portacl(4) configuration looks something like this:

# sysrc kld_list+=mac_portacl
# echo >>/etc/sysctl.conf
# kldload mac_portacl
# service sysctl reload

Not too bad - but fiddlier than it ought to be, particularly as rulesets get bigger.

Cue portacl-rc:

# pkg install security/portacl-rc
# sysrc portacl_users+=www
# sysrc portacl_user_www_tcp="http https" portacl_user_www_udp=https
# service enable portacl
# service start portacl

The rc script translates named users, groups and services for you, filters out invalid rules (even if specified in the portacl_additional_rules escape hatch), ensures the ruleset fits within kernel limits, and makes sure the appropriate sysctl’s are set in the correct order to enable or disable the policy.

Plan is to land this in the FreeBSD base system at some point.