Module name: mac_portacl.ko
Kernel configuration line: MAC_PORTACL
Boot option: mac_portacl_load="YES"
The mac_portacl(4) module is used to limit binding to local TCP and UDP ports using a variety of sysctl variables. mac_portacl(4) makes it possible to allow non-root users to bind to specified privileged ports below 1024.
Once loaded, this module enables the MAC policy on all sockets. The following tunables are available:
security.mac.portacl.enabled enables or disables
the policy completely.
security.mac.portacl.port_high sets the highest
port number that mac_portacl(4)
security.mac.portacl.suser_exempt, when set to a
non-zero value, exempts the root user from this
security.mac.portacl.rules specifies the
mac_portacl policy, which is a text string of the form: rule[,rule,...] with as many rules as needed. Each rule is of
the form: idtype:id:protocol:port. The
idtype parameter can be uid or
gid and is used to interpret the
id parameter as either a user id or group id,
protocol parameter is used to
determine if the rule should apply to TCP or UDP by
setting the parameter to tcp or udp. The final
is the port number to allow the specified user or group to bind to.
Note: Since the ruleset is interpreted directly by the kernel, only numeric values can be used for the user ID, group ID, and port parameters. Names cannot be used for users, groups, or services.
By default, ports below 1024 can only be used by or bound to privileged processes,
which run as root. For mac_portacl(4) to
allow non-privileged processes to bind to ports below 1024, this restriction has to be
disabled by setting the sysctl(8) variables
net.inet.ip.portrange.reservedhigh to zero:
# sysctl security.mac.portacl.port_high=1023 # sysctl net.inet.ip.portrange.reservedlow=0 net.inet.ip.portrange.reservedhigh=0
See the examples below or refer to mac_portacl(4) for further information.
Since the root user should not be crippled by this
policy, this example starts by setting the
security.mac.portacl.suser_exempt to a non-zero value.
# sysctl security.mac.portacl.suser_exempt=1
Next, allow the user with UID 80 to bind to port 80. This allows the www user to run a web server without ever having root privilege.
# sysctl security.mac.portacl.rules=uid:80:tcp:80
The next example permits the user with the UID of 1001 to bind to the TCP ports 110 (“pop3”) and 995 (“pop3s”). This permits this user to start a server that accepts connections on ports 110 and 995.
# sysctl security.mac.portacl.rules=uid:1001:tcp:110,uid:1001:tcp:995