Dear Linux, Privileged Ports Must Die
https://ar.al/2022/08/30/dear-linux-privileged-ports-must-die/
#Linux #PrivilegedPortsMustDie
https://ar.al/2022/08/30/dear-linux-privileged-ports-must-die/
#Linux #PrivilegedPortsMustDie
Dear Linux, Privileged Ports Must Die
Privileged ports, toffs of the Linux world. Kitten is a small web server that runs as a user-level service and would never need elevated privileges if it wasn’t for one archaic anti-security feature in Linux that dates back to the mainframe era: pr…Aral Balkan
Aral Balkan reshared this.
Arne Babenhauserheide
in reply to Aral Balkan • • •But starting unprivileged at 80 sounds good.
I would not want unprivileged to start at 22, though: SSH must stay in the domain of root because it is how any other user can log in.
If it gives privilege, it should be a privileged port.
Aral Balkan
in reply to Arne Babenhauserheide • • •Lars Lehtonen
in reply to Aral Balkan • • •Aral Balkan
in reply to Lars Lehtonen • • •https://ar.al/2022/08/30/dear-linux-privileged-ports-must-die/
Dear Linux, Privileged Ports Must Die
Aral BalkanAral Balkan
Unknown parent • • •Aral Balkan
Unknown parent • • •Disable privileged ports security theatre on Linux instead of using setcap (#169) · Issues · Site.js / app
GitLabAral Balkan
Unknown parent • • •BrightSide
in reply to Aral Balkan • • •Or (not to get tangled in another discussion about this) but if you launch with a systemd service you can put AmbientCapabilities=CAP_NET_BIND_SERVICE in your [Service] section
Aral Balkan
in reply to BrightSide • • •https://source.small-tech.org/site.js/app/-/issues/169
Disable privileged ports security theatre on Linux instead of using setcap (#169) · Issues · Site.js / app
GitLabEmacsen
in reply to Aral Balkan • • •I didn't know it was configurable. This is a huge deal. Thank you!
project always tired
in reply to Aral Balkan • • •Aral Balkan
in reply to project always tired • • •e-Jim 🖧
in reply to Aral Balkan • • •I had never considered it.