Module name: mac_portacl.ko
Kernel configuration line: MAC_PORTACL
Boot option: mac_portacl_load="YES"
The mac_portacl(4) module
is used to limit binding to local TCP and UDP ports using a variety of sysctl
variables. In essence mac_portacl(4) makes
it possible to allow non-root users to bind to specified
privileged ports, i.e. ports fewer than 1024.
Once loaded, this module will enable the MAC policy
on all sockets. The following tunables are available:
-
security.mac.portacl.enabled will enable/disable the policy
completely.
-
security.mac.portacl.port_high will set the highest port
number that mac_portacl(4) will
enable protection for.
-
security.mac.portacl.suser_exempt will, when set to a
non-zero value, exempt the root user from this policy.
-
security.mac.portacl.rules will specify the actual
mac_portacl policy; see below.
The actual mac_portacl policy, as specified in the security.mac.portacl.rules sysctl, is a text string of the form: rule[,rule,...] with as many rules as needed. Each rule is of the
form: idtype:id:protocol:port. The idtype
parameter can be uid or gid and used to interpret the id
parameter as either a user id or group id, respectively. The protocol
parameter is used to determine if the rule should apply
to TCP or UDP by
setting the parameter to tcp or udp.
The final port
parameter is the port number to allow the
specified user or group to bind to.
Note: Since the ruleset is interpreted directly by the kernel only numeric
values can be used for the user ID, group ID, and port parameters. I.e. user, group, and
port service names cannot be used.
By default, on UNIX®-like systems, ports fewer than
1024 can only be used by/bound to privileged processes, i.e. those run as root. For mac_portacl(4) to
allow non-privileged processes to bind to ports below 1024 this standard UNIX restriction has to be disabled. This can be accomplished by
setting the sysctl(8) variables
net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh to zero.
See the examples below or review the mac_portacl(4) manual
page for further information.
The following examples should illuminate the above discussion a little better:
# sysctl security.mac.portacl.port_high=1023
# sysctl net.inet.ip.portrange.reservedlow=0 net.inet.ip.portrange.reservedhigh=0
First we set mac_portacl(4) to
cover the standard privileged ports and disable the normal UNIX bind restrictions.
# sysctl security.mac.portacl.suser_exempt=1
The root user should not be crippled by this policy, thus
set the security.mac.portacl.suser_exempt to a non-zero value.
The mac_portacl(4) module
has now been set up to behave the same way UNIX-like
systems behave by default.
# sysctl security.mac.portacl.rules=uid:80:tcp:80
Allow the user with UID 80 (normally the www user) to bind to port 80. This can be used to allow the www user to run a web server without ever having root privilege.
# sysctl security.mac.portacl.rules=uid:1001:tcp:110,uid:1001:tcp:995
Permit the user with the UID of 1001 to bind to the
TCP ports 110 (“pop3”) and 995
(“pop3s”). This will permit this user to start a server that accepts
connections on ports 110 and 995.