portacl-rc
FreeBSD mac_portacl(4) rc script
mac_portacl(4) is a FreeBSD kernel security module providing an access control policy
for permitting specific users and groups to bind to ports that would otherwise be restricted
to the super-user.
portacl-rc is an rc script that makes configuring it easier and safer.
Traditional mac_portacl(4) configuration looks something like this:
# sysrc kld_list+=mac_portacl
# echo >>/etc/sysctl.conf
security.mac.portacl.rules="uid:80:tcp:80,uid:80:tcp:443,uid:80:udp:443"
net.inet.ip.portrange.reservedhigh=0
# kldload mac_portacl
# service sysctl reload
Not too bad - but fiddlier than it ought to be, particularly as rulesets get bigger.
Cue portacl-rc:
# pkg install security/portacl-rc
# sysrc portacl_users+=www
# sysrc portacl_user_www_tcp="http https" portacl_user_www_udp=https
# service enable portacl
# service start portacl
The rc script translates named users, groups and services for you, filters out invalid
rules (even if specified in the portacl_additional_rules escape hatch), ensures
the ruleset fits within kernel limits, and makes sure the appropriate sysctl’s are set
in the correct order to enable or disable the policy.
Plan is to land this in the FreeBSD base system at some point.