Created attachment 244195 [details] Dreaming of being /etc/rc.d/portacl mac_portacl(4) is a kernel module providing access control policy for network service port binding, allowing for specified users and groups to bind to otherwise root-privileged ports. Currently to make use of this, the module must be loaded, the rules set in a sysctl in a single line with only numeric ID's allowed, and the stock reserved ports sysctl needs to be set to disable enforcement. For example, allowing user www, uid 80 to bind to ports http and https: net.inet.ip.portrange.reservedhigh=0 security.mac.portacl.rules="uid:80:tcp:80,uid:80:tcp:443" Attached is the first-cut of an rc script which allows for configuration using only rc.conf variables, including mapping user and service names to their numeric equivalents. For example the above configuration would be achieved with: portacl_enable="YES" portacl_users="www" portacl_user_www_tcp="http https" This uses dynamic variables of the form portacl_{user,group}_${name}_{tcp,udp} to configure each portion of the ruleset. Existing raw rules can be combined: portacl_additional_rules="uid:143:tcp:993" Existing rules and other relevant oids set in /etc/sysctl.conf{,.local} are overridden, but a warning is issued if any are found. Development is currently taking place here: https://github.com/Freaky/portacl
Thank you so much for opening this issue! can you add the documentation to `rc.conf(5)` and the defaults to `/etc/defaults/rc.conf` ? maybe it'd be easier to do this on GitHub?
Created attachment 244227 [details] Updated script * Add printrules command * Support aliases in /etc/services * Validate rules, warn about and filter out invalid ones so one bad rule does not invalidate the entire ruleset * Add options for all other mac_portacl settings * Various cleanups
(In reply to Mina Galić from comment #1) Github has a first cut of an updated rc.conf(5). I've put together a port so it can get some wider use, and once I'm sure I'm done with the churn I'll see about putting together a full patch for review.