[otterley]

It's better to run as a non-root user, and use the CAP_NET_BIND_SERVICE capability (see capabilities(7)) to allow only the minimal privileges necessary to bind to a low-numbered port. A lot of Linux admins are unaware that this is the modern best practice for running applications securely.

Starting as root for the sole purpose of binding to a low-numbered port and then dropping privileges is an outdated practice that is both difficult to program correctly and arguably unnecessary today.

[sjy]

Thanks for pointing this out. I usually rely on the default settings in Arch Linux to handle stuff like this in the default package configuration, but it seems that the nginx package’s [1] systemd service [2] is not set up that way. Maybe it should be updated with a non-root User= and Capability=CAP_NET_BIND_SERVICE directive?

[1] https://www.archlinux.org/packages/extra/x86_64/nginx/

[2] https://github.com/archlinux/svntogit-packages/blob/packages...

[cpach]

This is why i love HN. Had no idea about that capability. Thanks for enlightening us!

A quick googling tells me that FreeBSD has something similar: https://gist.github.com/TomHetmer/b0a048d688af78e78f45609880...

PS. If I would have bothered to read the whole Stack Exchange article I linked to, that capability is even mentioned there (^_^) https://unix.stackexchange.com/a/134324/68449

[gui77aume]

Nice to know. Also, using a container, the port number generally doesn't matter so much.

[cmckn]

Totally, just run things on 8080/8443 in the container and then use your privileges outside the container to map 80/443 on the host. Don’t use low-numbered ports until you truly have to, IMO.

[brigandish]

Why not use gosu or su-exec to run the entrypoint command? That's straightforward.

[otterley]

Better to never have root privileges anywhere in the container. Entry points can be overridden and never running as root at all greatly reduces the attack surface.