NAME

portacl — rc(8) script for mac_portacl(4)

DESCRIPTION

portacl is an rc(8) initialization script for mac_portacl(4), allowing administrators to limit or permit binding to local UDP and TCP ports that would otherwise be privileged to the superuser.

Configuration is via the following rc.conf(5) variables.

portacl_enable

(bool) Set to “YES” to load and enable the mac_portacl(4) module upon system initialization.

portacl_⟨users|groups⟩

(str) A space-delimited list of user and group names or numeric IDs to apply mac_portacl(4) rules for, using the associated portacl_⟨user|group⟩_⟨ident⟩_⟨tcp|udp⟩ variables.

portacl_⟨user|group⟩_⟨ident⟩_⟨tcp|udp⟩

(str) A space-delimited list of service names or port numbers to add to the mac_portacl(4) ruleset for that user or group and protocol.

portacl_additional_rules

(str) A comma-delimited list of raw mac_portacl(4) rules to include alongside those specified above.

portacl_port_high

(int) The highest port that should be considered privileged by mac_portacl(4). This corresponds to the sysctl(8) variable security.mac.portacl.port_high, and defaults to 1023. Note that default privileged port restrictions will not be enforced above this value.

portacl_suser_exempt

(bool) Allow the superuser to bind to all mac_portacl(4) protected ports. This corresponds to the sysctl(8) variable security.mac.portacl.suser_exempt, and defaults to YES.

portacl_autoport_exempt

(bool) Allow applications to use automatic binding to port 0. This corresponds to the sysctl(8) variable security.mac.portacl.autoport_exempt, and defaults to YES.

FILES

/etc/rc.conf

 

/etc/rc.conf.local

 

EXAMPLES

Use service(8) and sysrc(8) to permit applications running under the “www” user to bind TCP ports http (80) and https (443).

# sysrc portacl_users="www"
# sysrc portacl_user_www_tcp="http https"
# service portacl enable
# service portacl start

SEE ALSO

mac_portacl(4), rc.conf(5), service(8), sysrc(8)

AUTHORS

Thomas Hurst.