site_archiver@lists.apple.com Delivered-To: darwin-dev@lists.apple.com Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=tIDmrN9A2TRcXa0BNawiFb01pgCET39icJbkNznMTcE=; b=pls8R4tx+ooS0cuJuYNEVICv6VpbASQDu8jwrHAHGsFtnpEqN7Gfn1h7qFe3eF8SWp nBMeJcYYvTcV49NHyY8+YhEaa04lg4M+VKn1FhONoKa599aongti4gzgMKOVSMayXwaa tiKgZOmImhnpd2xG4XoNM/hHMTrW2Vj7pme7Fs9OtIgkQeoiEMZQdgFB9d2V2a4hVmhB Rtof8Llf9p4GgkBSH3Xq4geM2exfvHHwV4a3nHklMhDE8dlJyWsfraerTFnWTV3PknCA ftfbukJh3cNS8/LMGdQ2zaEz1B8LebiHO7K+MjpVsKro7A8hkd++eCBXjwL97PpOt1aA GfqA==

On Mar 7, 2019, at 01:18, Alastair Houghton <alastair@alastairs-place.net> wrote:

...

On 6 Mar 2019, at 15:42, Sandor Szatmari <admin.szatmari.net@gmail.com> wrote:

So… one solution, that works, ;) is to chown root:wheel and chmod u+s. This gives the binary the privs it needs. But Apple’s binary in /usr/bin does not employ this solution. I thought maybe I could sign it with my dev cert and go that route. But not sure what/how to configure. If nothing better comes along I can at least do this.

Apple’s version works by having the entitlement com.apple.private.network.reserved-port, which AFAIK only works if the code signature on the binary belongs to Apple (otherwise it’d be a massive security hole). I think third-party software probably has to run as root in order for rresvport() to work.

That’s what I was afraid of, but just wasn’t confident enough about to be sure of that conclusion. Thanks, Sandor

Kind regards,

Alastair.

-- http://alastairs-place.net

_______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-dev mailing list (Darwin-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/darwin-dev/site_archiver%40lists.app... This email sent to site_archiver@lists.apple.com