Module name: mac_portacl.ko
Kernel configuration line:
      MAC_PORTACL
Boot option: mac_portacl_load="YES"
The mac_portacl(4) module is used to limit binding to
      local TCP and UDP ports
      using a variety of sysctl variables.  In
      essence mac_portacl(4) makes it possible to allow
      non-root users to bind to specified
      privileged ports, i.e. ports fewer than 1024.
Once loaded, this module will enable the MAC policy on all sockets. The following tunables are available:
security.mac.portacl.enabled will
	  enable/disable the policy completely.[10]
security.mac.portacl.port_high will set
	  the highest port number that mac_portacl(4)
	  will enable protection for.
security.mac.portacl.suser_exempt will,
	  when set to a non-zero value, exempt the
	  root user from this policy.
security.mac.portacl.rules will
	  specify the actual mac_portacl policy; see below.
The actual mac_portacl policy, as
      specified in the security.mac.portacl.rules
      sysctl, is a text string of the form:
      rule[,rule,...] with as many rules as
      needed.  Each rule is of the form:
      idtype:id:protocol:port.  The
      idtype parameter can be
      uid or gid and used to
      interpret the id parameter as either a
      user id or group id, respectively.  The
      protocol parameter is used to determine if
      the rule should apply to TCP or
      UDP by setting the parameter to
      tcp or udp.  The final
      port parameter is the port number to allow
      the specified user or group to bind to.
Since the ruleset is interpreted directly by the kernel only numeric values can be used for the user ID, group ID, and port parameters. I.e. user, group, and port service names cannot be used.
By default, on UNIX(R)-like systems, ports fewer than 1024
      can only be used by/bound to privileged processes,
      i.e. those run as root.  For
      mac_portacl(4) to allow non-privileged processes to bind
      to ports below 1024 this standard UNIX(R) restriction has to be
      disabled.  This can be accomplished by setting the sysctl(8)
      variables net.inet.ip.portrange.reservedlow and
      net.inet.ip.portrange.reservedhigh
      to zero.
See the examples below or review the mac_portacl(4) manual page for further information.
The following examples should illuminate the above discussion a little better:
#sysctl security.mac.portacl.port_high=1023#sysctl net.inet.ip.portrange.reservedlow=0 net.inet.ip.portrange.reservedhigh=0
First we set mac_portacl(4) to cover the standard privileged ports and disable the normal UNIX(R) bind restrictions.
#sysctl security.mac.portacl.suser_exempt=1
The root user should not be crippled
	by this policy, thus set the
	security.mac.portacl.suser_exempt to a
	non-zero value.  The mac_portacl(4) module
	has now been set up to behave the same way UNIX(R)-like systems
	behave by default.
#sysctl security.mac.portacl.rules=uid:80:tcp:80
Allow the user with UID 80 (normally
	the www user) to bind to port 80.
	This can be used to allow the www
	user to run a web server without ever having
	root privilege.
#sysctl security.mac.portacl.rules=uid:1001:tcp:110,uid:1001:tcp:995
Permit the user with the UID of 1001 to bind to the TCP ports 110 («pop3») and 995 («pop3s»). This will permit this user to start a server that accepts connections on ports 110 and 995.
[10] Due to
	  a bug the security.mac.portacl.enabled
	  sysctl variable will not work on
	  FreeBSD 5.2.1 or previous releases.
Αυτό το κείμενο, και άλλα κείμενα, μπορεί να βρεθεί στο ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/
Για ερωτήσεις σχετικά με το FreeBSD, διαβάστε την
    τεκμηρίωση πριν να επικοινωνήσετε με την
    <questions@FreeBSD.org>.
    Για ερωτήσεις σχετικά με αυτή την τεκμηρίωση, στείλτε e-mail στην
    <doc@FreeBSD.org>.