|
|
|
|
|
|
by ptx
4283 days ago
|
|
|
The FreeBSD MAC framework[0] allows you to do exactly this, and I agree that it makes a lot more sense. So to run a web server as the user myapp (with UID 1234 in this example), you simply load the mac_portacl kernel module and then: sysctl security.mac.portacl.rules=uid:1234:tcp:80,uid:1234:tcp:443
In Linux it seems I can only assign the right to bind to all privileged ports (with cap_net_bind_service), but once every user has that right, that's essentially the same thing as not having privileged ports at all, and we're back to where we started. O_o[0] http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ma... |
|
|