Re: mac_portacl
On Fri, 20 Oct 2006, Nikolay Pavlov wrote:
> I am trying to implement reverse proxy using squid with mac_portacl, but i
> have problem while binding squid to port 80. Am i missed something?
Did you set the IP stack's definition of reserved such that there are no
reserved ports, per the mac_portacl(4) man page?
In order to enable the mac_portacl policy, MAC policy must be enforced on
sockets (see mac(4)), and the port(s) protected by mac_portacl must not
be included in the range specified by the
net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh
sysctl(8) MIBs.
Basically, you need to set those sysctls to 0. That should probably be
explicit in the man page, rather than implicit as it is now.
Robert N M Watson
Computer Laboratory
University of Cambridge
>
> Here is my mac_portacl variables:
>
> # sysctl security.mac.portacl.
> security.mac.portacl.enabled: 1
> security.mac.portacl.suser_exempt: 1
> security.mac.portacl.autoport_exempt: 1
> security.mac.portacl.port_high: 1023
> security.mac.portacl.rules: uid:100:tcp:80
>
> And squid user info:
>
> # grep squid /etc/passwd
> squid:*:100:100:squid caching-proxy pseudo user:/usr/local/squid:/usr/sbin/nologin
>
> Also here is cache.log:
>
> 2006/10/20 09:55:59| Starting Squid Cache version 2.5.STABLE14 for
> i386-portbld-freebsd6.1...
> 2006/10/20 09:55:59| Process ID 6584
> 2006/10/20 09:55:59| With 11072 file descriptors available
> 2006/10/20 09:55:59| DNS Socket created at 0.0.0.0, port 59879, FD 5
> 2006/10/20 09:55:59| Adding nameserver 206.53.60.10 from
> /etc/resolv.conf
> 2006/10/20 09:55:59| User-Agent logging is disabled.
> 2006/10/20 09:55:59| Unlinkd pipe opened on FD 10
> 2006/10/20 09:55:59| Swap maxSize 102400000 KB, estimated 7876923
> objects
> 2006/10/20 09:55:59| Target number of buckets: 393846
> 2006/10/20 09:55:59| Using 524288 Store buckets
> 2006/10/20 09:55:59| Max Mem size: 1048576 KB
> 2006/10/20 09:55:59| Max Swap size: 102400000 KB
> 2006/10/20 09:55:59| Rebuilding storage in /cache (DIRTY)
> 2006/10/20 09:55:59| Using Least Load store dir selection
> 2006/10/20 09:55:59| Set Current Directory to /usr/local/squid/cache
> 2006/10/20 09:55:59| Loaded Icons.
> 2006/10/20 09:55:59| commBind: Cannot bind socket FD 12 to *:80: (13)
> Permission denied
> FATAL: Cannot open HTTP Port
> Squid Cache (Version 2.5.STABLE14): Terminated abnormally.
> CPU Usage: 0.035 seconds = 0.000 user + 0.035 sys
> Maximum Resident Size: 9528 KB
> Page faults with physical i/o: 0
>
>
> --
> ======================================================================
> - Best regards, Nikolay Pavlov. <<<-----------------------------------
> ======================================================================
>
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
>
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 2 之 2 篇):