DISCLAIMER: I know how to run daemons that either listen on ports <1024 by using privbind
or some iptables
REDIRECT. Or more generally spoken, how to make daemons available on priviliged ports that usually don't run there.
The question itself is kind of a meta question.
QUESTION: Why on earth is it that ports <1024 are generally reserved to the root user. From a pragmatic point of view I'd love to be able to just tell a daemon under which port to lisen on and not have to care about root privileges. The more I think about it the more I come to the conclusion that specifically this kind of "security" is just historical bloat.
A sysctl along the lines of sysctl -w net.ipv[46].conf.port.80=www-data
(something like that, I hope the idea is what comes trhough) would be what I'd really desire.
This way it would be possible to maintain the "current level of security" but still allow arbitrary users to listen on lower ports. Linux capabilities (CAP_NET_BIND_SERVICE
) are a first step in the right direction - at least in my mind - but given that I'm used to ports <1024 being something special I hesitate dropping the restriction completely. I just can't see an objective reason why that is the case.
Someone please enlighten me :)
Note: Yes I read some of the similiar titles but I'm not quite satisfied with a "You shouldn't be doing it". Having to jump through hoops to get apache listen on port 80 where all it does is starting up with root
and then dropping privileges is unnecessary (at least I think that). Why can't I just let it run as a normal user and do it's work. That way a privilege escalation bug wouldn't even allow for root privileges. All there is are privileges of www-data
(or whatever the user on the distro of choice is)
As far as I know this is, indeed, mainly just an historical convention; the idea being that when accessing a port under 1024 you can be sure you're accessing whatever the administrator of the server configured to run on the server. This made more sense back when servers where few and huge and you needed an easy way to authenticate, or at least judge the reliability of a service, by such basic means.
By the way, you may find that Capabilities do what you want. See this SO question for more information on the alternatives, but here's the sample use: