A web server need root privileges in order to bind ports 80/443.
But in this case it’s only the primary Nginx process that will run as root. The subprocesses will run as a non-privileged user, as specified with the “user nginx” directive.
It's better to run as a non-root user, and use the CAP_NET_BIND_SERVICE capability (see capabilities(7)) to allow only the minimal privileges necessary to bind to a low-numbered port. A lot of Linux admins are unaware that this is the modern best practice for running applications securely.
Starting as root for the sole purpose of binding to a low-numbered port and then dropping privileges is an outdated practice that is both difficult to program correctly and arguably unnecessary today.
Thanks for pointing this out. I usually rely on the default settings in Arch Linux to handle stuff like this in the default package configuration, but it seems that the nginx package’s [1] systemd service [2] is not set up that way. Maybe it should be updated with a non-root User= and Capability=CAP_NET_BIND_SERVICE directive?
Totally, just run things on 8080/8443 in the container and then use your privileges outside the container to map 80/443 on the host. Don’t use low-numbered ports until you truly have to, IMO.
Better to never have root privileges anywhere in the container. Entry points can be overridden and never running as root at all greatly reduces the attack surface.
I've opened them an issue just in case https://github.com/bunkerity/bunkerized-nginx/issues/11