mac-portacl.html

这是很好的学习嵌入式LINUX的文章

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>The MAC portacl Module</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD Handbook" href="index.html" />
<link rel="UP" title="Mandatory Access Control" href="mac.html" />
<link rel="PREVIOUS" title="The MAC ifoff Module" href="mac-ifoff.html" />
<link rel="NEXT" title="MAC Policies with Labeling Features"
href="mac-labelingpolicies.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD Handbook</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="mac-ifoff.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 15 Mandatory Access Control</td>
<td width="10%" align="right" valign="bottom"><a href="mac-labelingpolicies.html"
accesskey="N">Next</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="MAC-PORTACL" name="MAC-PORTACL">15.8 The MAC portacl
Module</a></h1>

<p>Module name: <tt class="FILENAME">mac_portacl.ko</tt></p>

<p>Kernel configuration line: <var class="LITERAL">MAC_PORTACL</var></p>

<p>Boot option: <var class="LITERAL">mac_portacl_load="YES"</var></p>

<p>The <a href="http://www.FreeBSD.org/cgi/man.cgi?query=mac_portacl&sektion=4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">mac_portacl</span>(4)</span></a> module
is used to limit binding to local <acronym class="ACRONYM">TCP</acronym> and <acronym
class="ACRONYM">UDP</acronym> ports using a variety of <tt class="COMMAND">sysctl</tt>
variables. In essence <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=mac_portacl&sektion=4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">mac_portacl</span>(4)</span></a> makes
it possible to allow non-<tt class="USERNAME">root</tt> users to bind to specified
privileged ports, i.e. ports fewer than 1024.</p>

<p>Once loaded, this module will enable the <acronym class="ACRONYM">MAC</acronym> policy
on all sockets. The following tunables are available:</p>

<ul>
<li>
<p><var class="LITERAL">security.mac.portacl.enabled</var> will enable/disable the policy
completely.<a id="AEN22462" name="AEN22462" href="#FTN.AEN22462"><span
class="footnote">[1]</span></a></p>
</li>

<li>
<p><var class="LITERAL">security.mac.portacl.port_high</var> will set the highest port
number that <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=mac_portacl&sektion=4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">mac_portacl</span>(4)</span></a> will
enable protection for.</p>
</li>

<li>
<p><var class="LITERAL">security.mac.portacl.suser_exempt</var> will, when set to a
non-zero value, exempt the <tt class="USERNAME">root</tt> user from this policy.</p>
</li>

<li>
<p><var class="LITERAL">security.mac.portacl.rules</var> will specify the actual
mac_portacl policy; see below.</p>
</li>
</ul>

<p>The actual <var class="LITERAL">mac_portacl</var> policy, as specified in the <var
class="LITERAL">security.mac.portacl.rules</var> sysctl, is a text string of the form:
<var class="LITERAL">rule[,rule,...]</var> with as many rules as needed. Each rule is of
the form: <var class="LITERAL">idtype:id:protocol:port</var>. The <var
class="PARAMETER">idtype</var> parameter can be <var class="LITERAL">uid</var> or <var
class="LITERAL">gid</var> and used to interpret the <var class="PARAMETER">id</var>
parameter as either a user id or group id, respectively. The <var
class="PARAMETER">protocol</var> parameter is used to determine if the rule should apply
to <acronym class="ACRONYM">TCP</acronym> or <acronym class="ACRONYM">UDP</acronym> by
setting the parameter to <var class="LITERAL">tcp</var> or <var
class="LITERAL">udp</var>. The final <var class="PARAMETER">port</var> parameter is the
port number to allow the specified user or group to bind to.</p>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> Since the ruleset is interpreted directly by the kernel only numeric
values can be used for the user ID, group ID, and port parameters. I.e. user, group, and
port service names cannot be used.</p>
</blockquote>
</div>

<p>By default, on <span class="TRADEMARK">UNIX</span>&reg;-like systems, ports fewer than
1024 can only be used by/bound to privileged processes, i.e. those run as <tt
class="USERNAME">root</tt>. For <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=mac_portacl&sektion=4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">mac_portacl</span>(4)</span></a> to
allow non-privileged processes to bind to ports below 1024 this standard <span
class="TRADEMARK">UNIX</span> restriction has to be disabled. This can be accomplished by
setting the <a href="http://www.FreeBSD.org/cgi/man.cgi?query=sysctl&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">sysctl</span>(8)</span></a> variables
<var class="LITERAL">net.inet.ip.portrange.reservedlow</var> and <var
class="LITERAL">net.inet.ip.portrange.reservedhigh</var> to zero.</p>

<p>See the examples below or review the <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=mac_portacl&sektion=4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">mac_portacl</span>(4)</span></a> manual
page for further information.</p>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN22512" name="AEN22512">15.8.1 Examples</a></h2>

<p>The following examples should illuminate the above discussion a little better:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">sysctl security.mac.portacl.port_high=1023</kbd>
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">sysctl net.inet.ip.portrange.reservedlow=0 net.inet.ip.portrange.reservedhigh=0</kbd>
</pre>

<p>First we set <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=mac_portacl&sektion=4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">mac_portacl</span>(4)</span></a> to
cover the standard privileged ports and disable the normal <span
class="TRADEMARK">UNIX</span> bind restrictions.</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">sysctl security.mac.portacl.suser_exempt=1</kbd>
</pre>

<p>The <tt class="USERNAME">root</tt> user should not be crippled by this policy, thus
set the <var class="LITERAL">security.mac.portacl.suser_exempt</var> to a non-zero value.
The <a href="http://www.FreeBSD.org/cgi/man.cgi?query=mac_portacl&sektion=4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">mac_portacl</span>(4)</span></a> module
has now been set up to behave the same way <span class="TRADEMARK">UNIX</span>-like
systems behave by default.</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">sysctl security.mac.portacl.rules=uid:80:tcp:80</kbd>
</pre>

<p>Allow the user with <acronym class="ACRONYM">UID</acronym> 80 (normally the <tt
class="USERNAME">www</tt> user) to bind to port 80. This can be used to allow the <tt
class="USERNAME">www</tt> user to run a web server without ever having <tt
class="USERNAME">root</tt> privilege.</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">sysctl security.mac.portacl.rules=uid:1001:tcp:110,uid:1001:tcp:995</kbd>
</pre>

<p>Permit the user with the <acronym class="ACRONYM">UID</acronym> of 1001 to bind to the
<acronym class="ACRONYM">TCP</acronym> ports 110 (``pop3'') and 995 (``pop3s''). This
will permit this user to start a server that accepts connections on ports 110 and
995.</p>
</div>
</div>

<h3 class="FOOTNOTES">Notes</h3>

<table border="0" class="FOOTNOTES" width="100%">
<tr>
<td align="LEFT" valign="TOP" width="5%"><a id="FTN.AEN22462" name="FTN.AEN22462"
href="mac-portacl.html#AEN22462"><span class="footnote">[1]</span></a></td>
<td align="LEFT" valign="TOP" width="95%">
<p>Due to a bug the <var class="LITERAL">security.mac.portacl.enabled</var> <tt
class="COMMAND">sysctl</tt> variable will not work on FreeBSD&nbsp;5.2.1 or previous
releases.</p>
</td>
</tr>
</table>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="mac-ifoff.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="mac-labelingpolicies.html"
accesskey="N">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">The MAC ifoff Module</td>
<td width="34%" align="center" valign="top"><a href="mac.html" accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">MAC Policies with Labeling Features</td>
</tr>
</table>
</div>

<p align="center"><small>This, and other documents, can be downloaded from <a
href="ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/">ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/</a>.</small></p>

<p align="center"><small>For questions about FreeBSD, read the <a
href="http://www.FreeBSD.org/docs.html">documentation</a> before contacting &#60;<a
href="mailto:questions@FreeBSD.org">questions@FreeBSD.org</a>&#62;.<br />
For questions about this documentation, e-mail &#60;<a
href="mailto:doc@FreeBSD.org">doc@FreeBSD.org</a>&#62;.</small></p>
</body>
</html>