Skip to main content

Dear Linux, Privileged Ports Must Die

https://ar.al/2022/08/30/dear-linux-privileged-ports-must-die/

#Linux #PrivilegedPortsMustDie

Dear Linux, Privileged Ports Must Die

Privileged ports, toffs of the Linux world. Kitten is a small web server that runs as a user-level service and would never need elevated privileges if it wasn’t for one archaic anti-security feature in Linux that dates back to the mainframe era: pr…
Aral Balkan
#linux #PrivilegedPortsMustDie

Aral Balkan reshared this.

in reply to Aral Balkan

Arne Babenhauserheide
Arne Babenhauserheide
my first thought was "uh, what?!"

But starting unprivileged at 80 sounds good.

I would not want unprivileged to start at 22, though: SSH must stay in the domain of root because it is how any other user can log in.

If it gives privilege, it should be a privileged port.
in reply to Arne Babenhauserheide

Aral Balkan
Aral Balkan
@ArneBab Yeah, I’m totally fine with that (and that’s probably going to be a sticking point for a lot of folks and isn’t the hill I wish to die on. More than happy with 80.)
@Arne Babenhauserheide
in reply to Aral Balkan

Lars Lehtonen
Lars Lehtonen
The first UNIX TCP/IP implementation was released in 1983.
in reply to Lars Lehtonen

Aral Balkan
Aral Balkan
@alrs Thanks, Lars, appreciate the fact checking (it was the one bit I couldn’t find a proper source for and, after your post, some more digging brought up the original implementation). I’ve updated the post accordingly; appreciate it :)

https://ar.al/2022/08/30/dear-linux-privileged-ports-must-die/

Dear Linux, Privileged Ports Must Die

Privileged ports, toffs of the Linux world. Kitten is a small web server that runs as a user-level service and would never need elevated privileges if it wasn’t for one archaic anti-security feature in Linux that dates back to the mainframe era: pr…
Aral Balkan
@Lars Lehtonen
Unknown parent

Aral Balkan
Aral Balkan
@shortwavesurfer2009 That (badly-named setting) works for both 🤷‍♂️
Unknown parent

Aral Balkan
Aral Balkan
@mxm Yeah, that’s what led me to using sysctl in the first place :) https://source.small-tech.org/site.js/app/-/issues/169

Disable privileged ports security theatre on Linux instead of using setcap (#169) · Issues · Site.js / app

Summary Currently, we’re using setcap to grant the CAP_NET_BIND_SERVICE privilege to allow Node.js (during development and testing) and the Site.js binary...
GitLab
Unknown parent

Aral Balkan
Aral Balkan
@shortwavesurfer2009 👍
in reply to Aral Balkan

BrightSide
BrightSide
You can do this for specific executables using "setcap 'cap_net_bind_service=+ep' /path/to/program"

Or (not to get tangled in another discussion about this) but if you launch with a systemd service you can put AmbientCapabilities=CAP_NET_BIND_SERVICE in your [Service] section
in reply to BrightSide

Aral Balkan
Aral Balkan
@brightside Yeah, I know :)

https://source.small-tech.org/site.js/app/-/issues/169

Disable privileged ports security theatre on Linux instead of using setcap (#169) · Issues · Site.js / app

Summary Currently, we’re using setcap to grant the CAP_NET_BIND_SERVICE privilege to allow Node.js (during development and testing) and the Site.js binary...
GitLab
@brightside
in reply to Aral Balkan

Emacsen
Emacsen
Yes to all of this.

I didn't know it was configurable. This is a huge deal. Thank you!
in reply to Aral Balkan

e-Jim 🖧
e-Jim 🖧
Thanks aral for this food for thought.
I had never considered it.