Linux really needs to remove the “privileged ports” security theater bullshit.
We’re no longer living in the mainframe era. The security properties of the Internet are different to mainframes. This is actually an anti-feature that either complicates life or actually compromises security (when folks run servers as root and forget to drop privileges , etc.).
If anyone has any sway within the kernel team, etc., please do your thing.
https://source.small-tech.org/site.js/app/-/issues/169
#linux #security #theatre #networking
We’re no longer living in the mainframe era. The security properties of the Internet are different to mainframes. This is actually an anti-feature that either complicates life or actually compromises security (when folks run servers as root and forget to drop privileges , etc.).
If anyone has any sway within the kernel team, etc., please do your thing.
https://source.small-tech.org/site.js/app/-/issues/169
#linux #security #theatre #networking
Disable privileged ports security theatre on Linux instead of using setcap (#169) · Issues · Site.js / app
Summary Currently, we’re using setcap to grant the CAP_NET_BIND_SERVICE privilege to allow Node.js (during development and testing) and the Site.js binary...GitLab
Aral Balkan
in reply to Aral Balkan • • •Simone Silvestroni (M2M)
in reply to Aral Balkan • • •I know it sounds silly, but imagine if I go back to the UK and keep doing it :D
Gert V 🇵🇸
in reply to Aral Balkan • • •Stefan Midjich ꙮ҄
in reply to Aral Balkan • • •Aral Balkan
in reply to Stefan Midjich ꙮ҄ • • •Stefan Midjich ꙮ҄
in reply to Aral Balkan • • •So I still see no reason to allow services to use privileged ports in my view. But we all have different perspectives.
Aral Balkan
in reply to Stefan Midjich ꙮ҄ • • •We need to set up your own Facebook on your own server in under a minute with no technical knowledge required on your part. And democratise development while we’re at it as much as possible. So no front controller/proxy, etc., setups. Think lightweight server with in-process database.
But, beyond use cases, again, it provides no real security unless you’re administering a System/360.
What is the Small Web?
Aral Balkanpaillp
in reply to Aral Balkan • • •I see lots of workarounds to your problem and Linux in itself doesn't prevent one from achieving the behavior you're looking for.
Aral Balkan
in reply to paillp • • •paillp
in reply to Aral Balkan • • •`sudo setcap 'cap_net_bind_service=+ep' /usr/bin/nc`
Aral Balkan
in reply to paillp • • •Carlos Mogas da Silva
in reply to Aral Balkan • • •demvw
in reply to Aral Balkan • • •Aral Balkan
in reply to demvw • • •yin yang yoink
in reply to Aral Balkan • • •Aral Balkan
in reply to yin yang yoink • • •https://ar.al/2020/08/07/what-is-the-small-web/
What is the Small Web?
Aral BalkanCyberspice
in reply to Aral Balkan • • •maswan
in reply to Aral Balkan • • •Aral Balkan
in reply to maswan • • •maswan
in reply to Aral Balkan • • •