undefined | Better HN

0 pointsboomlinde4y ago0 comments

From a practical point of view, regardless of the scope of the original question, this is the kind of scenario where you'd really want the restriction. More than a simple administrative task it's a dangerous attack vector to allow any user to launch your httpd or DNS.

That being said, check out capabilities(7) in Linux. You can grant an executable the privilege of binding to a low port when run by non-0 uid through setcap. This is a good compromise.

0 comments

convolvatron4y ago

this whole 'privledged ports' nonsense is left over from a time where some process on another machine running on a low port was somehow to be trusted - because the person running that process was another administrator, and you can generally trust those guys (as opposed to unwashed users).

that world didn't last very long, and I wish we could vent some of these designs that didn't pass the test of time.

j / k navigate · click thread line to collapse

0 pointsboomlinde4y ago0 comments

That being said, check out capabilities(7) in Linux. You can grant an executable the privilege of binding to a low port when run by non-0 uid through setcap. This is a good compromise.

0 comments

convolvatron4y ago

that world didn't last very long, and I wish we could vent some of these designs that didn't pass the test of time.

j / k navigate · click thread line to collapse