Created attachment 180751 [details] patch to add the allow.reserved_port option to jail(8) The attached patch adds a new jail(8) configuration option to deny the use of reserved ports inside jail. This is intended for use in shared-IP jails that set the "ipv4=inherit" option, and would not be useful in VNET-enabled jails. The primary use case is for delegating jail administration to ordinary users who would otherwise not be allowed access to run services reserved ports. Without this patch, ordinary users who have root privileges inside a shared-IP jail have the ability to run services that potentially conflict with the host, such as SSH or Sendmail.
I personally like this idea a lot. Anyone else have feedback?
It defaults to allow, to avoid breaking existing jails, so I agree.
LGM
https://reviews.freebsd.org/D10202
A commit references this bug: Author: allanjude Date: Tue Jun 6 02:15:01 UTC 2017 New revision: 319611 URL: https://svnweb.freebsd.org/changeset/base/319611 Log: Jails: Optionally prevent jailed root from binding to privileged ports You may now optionally specify allow.noreserved_ports to prevent root inside a jail from using privileged ports (less than 1024) PR: 217728 Submitted by: Matt Miller <mattm916@pulsar.neomailbox.ch> Reviewed by: jamie, cem, smh Relnotes: yes Differential Revision: https://reviews.freebsd.org/D10202 Changes: head/sys/kern/kern_jail.c head/sys/sys/jail.h head/usr.sbin/jail/jail.8
Committed Tue Jun 6 02:15:01 UTC 2017.