<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta name="generator" content="HTML Tidy, see www.w3.org" /><title>The MAC portacl Module</title><meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" /><link rel="HOME" title="FreeBSD 使用手冊" href="index.html" /><link rel="UP" title="Mandatory Access Control" href="mac.html" /><link rel="PREVIOUS" title="The MAC ifoff Module" href="mac-ifoff.html" /><link rel="NEXT" title="MAC Policies with Labeling Features"href="mac-labelingpolicies.html" /><link rel="STYLESHEET" type="text/css" href="docbook.css" /><meta http-equiv="Content-Type" content="text/html; charset=GB2312" /></head><body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"alink="#0000FF"><div class="NAVHEADER"><table summary="Header navigation table" width="100%" border="0" cellpadding="0"cellspacing="0"><tr><th colspan="3" align="center">FreeBSD 使用手冊</th></tr><tr><td width="10%" align="left" valign="bottom"><a href="mac-ifoff.html"accesskey="P">后退</a></td><td width="80%" align="center" valign="bottom">章 15. Mandatory Access Control</td><td width="10%" align="right" valign="bottom"><a href="mac-labelingpolicies.html"accesskey="N">前進</a></td></tr></table><hr align="LEFT" width="100%" /></div><div class="SECT1"><h1 class="SECT1"><a id="MAC-PORTACL" name="MAC-PORTACL">15.8. The MAC portaclModule</a></h1><p>Module name: <tt class="FILENAME">mac_portacl.ko</tt></p><p>Kernel configuration line: <var class="LITERAL">MAC_PORTACL</var></p><p>Boot option: <var class="LITERAL">mac_portacl_load="YES"</var></p><p>The <span class="CITEREFENTRY"><spanclass="REFENTRYTITLE">mac_portacl</span>(4)</span> module is used to limit binding tolocal <acronym class="ACRONYM">TCP</acronym> and <acronym class="ACRONYM">UDP</acronym>ports using a variety of <tt class="COMMAND">sysctl</tt> variables. In essence <spanclass="CITEREFENTRY"><span class="REFENTRYTITLE">mac_portacl</span>(4)</span> makes itpossible to allow non-<tt class="USERNAME">root</tt> users to bind to specifiedprivileged ports, i.e. ports fewer than 1024.</p><p>Once loaded, this module will enable the <acronym class="ACRONYM">MAC</acronym> policyon all sockets. The following tunables are available:</p><ul><li><p><var class="LITERAL">security.mac.portacl.enabled</var> will enable/disable the policycompletely.<a id="AEN22079" name="AEN22079" href="#FTN.AEN22079"><spanclass="footnote">[1]</span></a></p></li><li><p><var class="LITERAL">security.mac.portacl.port_high</var> will set the highest portnumber that <span class="CITEREFENTRY"><spanclass="REFENTRYTITLE">mac_portacl</span>(4)</span> will enable protection for.</p></li><li><p><var class="LITERAL">security.mac.portacl.suser_exempt</var> will, when set to anon-zero value, exempt the <tt class="USERNAME">root</tt> user from this policy.</p></li><li><p><var class="LITERAL">security.mac.portacl.rules</var> will specify the actualmac_portacl policy; see below.</p></li></ul><p>The actual <var class="LITERAL">mac_portacl</var> policy, as specified in the <varclass="LITERAL">security.mac.portacl.rules</var> sysctl, is a text string of the form:<var class="LITERAL">rule[,rule,...]</var> with as many rules as needed. Each rule is ofthe form: <var class="LITERAL">idtype:id:protocol:port</var>. The <varclass="PARAMETER">idtype</var> parameter can be <var class="LITERAL">uid</var> or <varclass="LITERAL">gid</var> and used to interpret the <var class="PARAMETER">id</var>parameter as either a user id or group id, respectively. The <varclass="PARAMETER">protocol</var> parameter is used to determine if the rule should applyto <acronym class="ACRONYM">TCP</acronym> or <acronym class="ACRONYM">UDP</acronym> bysetting the parameter to <var class="LITERAL">tcp</var> or <varclass="LITERAL">udp</var>. The final <var class="PARAMETER">port</var> parameter is theport number to allow the specified user or group to bind to.</p><div class="NOTE"><blockquote class="NOTE"><p><b>注:</b> Since the ruleset is interpreted directly by the kernel only numeric valuescan be used for the user ID, group ID, and port parameters. I.e. user, group, and portservice names cannot be used.</p></blockquote></div><p>By default, on <span class="TRADEMARK">UNIX</span>&reg;-like systems, ports fewer than1024 can only be used by/bound to privileged processes, i.e. those run as <ttclass="USERNAME">root</tt>. For <span class="CITEREFENTRY"><spanclass="REFENTRYTITLE">mac_portacl</span>(4)</span> to allow non-privileged processes tobind to ports below 1024 this standard <span class="TRADEMARK">UNIX</span> restrictionhas to be disabled. This can be accomplished by setting the <spanclass="CITEREFENTRY"><span class="REFENTRYTITLE">sysctl</span>(8)</span> variables <varclass="LITERAL">net.inet.ip.portrange.reservedlow</var> and <varclass="LITERAL">net.inet.ip.portrange.reservedhigh</var> to zero.</p><p>See the examples below or review the <span class="CITEREFENTRY"><spanclass="REFENTRYTITLE">mac_portacl</span>(4)</span> manual page for furtherinformation.</p><div class="SECT2"><h2 class="SECT2"><a id="AEN22129" name="AEN22129">15.8.1. Examples</a></h2><p>The following examples should illuminate the above discussion a little better:</p><pre class="SCREEN"><samp class="PROMPT">#</samp> <kbdclass="USERINPUT">sysctl security.mac.portacl.port_high=1023</kbd><samp class="PROMPT">#</samp> <kbdclass="USERINPUT">sysctl net.inet.ip.portrange.reservedlow=0 net.inet.ip.portrange.reservedhigh=0</kbd></pre><p>First we set <span class="CITEREFENTRY"><spanclass="REFENTRYTITLE">mac_portacl</span>(4)</span> to cover the standard privileged portsand disable the normal <span class="TRADEMARK">UNIX</span> bind restrictions.</p><pre class="SCREEN"><samp class="PROMPT">#</samp> <kbdclass="USERINPUT">sysctl security.mac.portacl.suser_exempt=1</kbd></pre><p>The <tt class="USERNAME">root</tt> user should not be crippled by this policy, thusset the <var class="LITERAL">security.mac.portacl.suser_exempt</var> to a non-zero value.The <span class="CITEREFENTRY"><span class="REFENTRYTITLE">mac_portacl</span>(4)</span>module has now been set up to behave the same way <spanclass="TRADEMARK">UNIX</span>-like systems behave by default.</p><pre class="SCREEN"><samp class="PROMPT">#</samp> <kbdclass="USERINPUT">sysctl security.mac.portacl.rules=uid:80:tcp:80</kbd></pre><p>Allow the user with <acronym class="ACRONYM">UID</acronym> 80 (normally the <ttclass="USERNAME">www</tt> user) to bind to port 80. This can be used to allow the <ttclass="USERNAME">www</tt> user to run a web server without ever having <ttclass="USERNAME">root</tt> privilege.</p><pre class="SCREEN"><samp class="PROMPT">#</samp> <kbdclass="USERINPUT">sysctl security.mac.portacl.rules=uid:1001:tcp:110,uid:1001:tcp:995</kbd></pre><p>Permit the user with the <acronym class="ACRONYM">UID</acronym> of 1001 to bind to the<acronym class="ACRONYM">TCP</acronym> ports 110 (``pop3'') and 995 (``pop3s''). Thiswill permit this user to start a server that accepts connections on ports 110 and995.</p></div></div><h3 class="FOOTNOTES">注</h3><table border="0" class="FOOTNOTES" width="100%"><tr><td align="LEFT" valign="TOP" width="5%"><a id="FTN.AEN22079" name="FTN.AEN22079"href="mac-portacl.html#AEN22079"><span class="footnote">[1]</span></a></td><td align="LEFT" valign="TOP" width="95%"><p>Due to a bug the <var class="LITERAL">security.mac.portacl.enabled</var> <ttclass="COMMAND">sysctl</tt> variable will not work on FreeBSD&nbsp;5.2.1 or previousreleases.</p></td></tr></table><div class="NAVFOOTER"><hr align="LEFT" width="100%" /><table summary="Footer navigation table" width="100%" border="0" cellpadding="0"cellspacing="0"><tr><td width="33%" align="left" valign="top"><a href="mac-ifoff.html"accesskey="P">后退</a></td><td width="34%" align="center" valign="top"><a href="index.html"accesskey="H">起點</a></td><td width="33%" align="right" valign="top"><a href="mac-labelingpolicies.html"accesskey="N">前進</a></td></tr><tr><td width="33%" align="left" valign="top">The MAC ifoff Module</td><td width="34%" align="center" valign="top"><a href="mac.html"accesskey="U">上一級</a></td><td width="33%" align="right" valign="top">MAC Policies with Labeling Features</td></tr></table></div></body></html>