benjojo.co.uk

benjojo posted 20 Jan 2026 19:32 +0000

It is kind of funny that the first allocated port outside of the "Well-known" (aka below port 1024) range is just a random "network blackjack" entry at port 1025

benjojo replied 20 Jan 2026 19:36 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/NTJ9C1J1G18m467ztP

Also worth reiterating that the concept of "well-known" is a incredibly stupid UNIX-ism that doesn't really deserve to exist today however some extremely fringe (and silly) cases around backwards compatibility (that are depending on authenticating based on a port number)

you can fix the stupidity by setting

sysctl net.ipv4.ip_unprivileged_port_start=23

There is some argument to set it just below SSH (port 22) to prevent some stupid service from being able to bind on to port 22, But anything above that should be fair game lifting this limitation stops you from having to give applications root when they start up, or bless them with some systems capability flag through the file system

picofarad@noauthorit.. replied 20 Jan 2026 23:05 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/68534172TctqTdZDXz

@benjojo i... just... use... a reverse proxy like haproxy if i don't want to run as root or whatever. 9 times out of ten whatever i am setting up doesn't even have a public IP anyhow so who cares

benjojo replied 20 Jan 2026 23:31 +0000
in reply to: https://noauthority.social/users/picofarad/statuses/115929929627804140

@picofarad I mean sure, but the overall point is that the fact you (without tweaking this sysctl or setting the fs capability flag) have to run your application as root to bind on 80/443 is really quite silly, and gives your applications a lot of exposure to things, even if they drop down to some other user shortly after binding

evey@chaos.social replied 20 Jan 2026 19:48 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/68534172TctqTdZDXz

@benjojo The biggest culprit is NFSv3 and NFSv4 in lesser regards. v3 AUTH_SYS regards the UIDs you send as trusted if your source port is in the well-kown/Priviliged port range.

wolf480pl@mstdn.io replied 20 Jan 2026 19:51 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/68534172TctqTdZDXz

@benjojo or you could pass the listen socket to them at startup from some privileged wrapper (xinetd, or systemd, or s6-tcpserver-sockedbinder, etc)

cvtsi2sd@hachyderm.i.. replied 20 Jan 2026 20:01 +0000
in reply to: https://mstdn.io/users/wolf480pl/statuses/115929165247226609

@wolf480pl @benjojo speaking of wrappers and well-known ports, I once discovered about the service assigned TCP port 1, and I'm still angry it never caught on.

benjojo replied 20 Jan 2026 20:02 +0000
in reply to: https://hachyderm.io/users/cvtsi2sd/statuses/115929204803595875

@cvtsi2sd @wolf480pl ah yes but you see we have a modern day version of this, port 443 + ALPN ;)

wolf480pl@mstdn.io replied 20 Jan 2026 20:02 +0000
in reply to: https://hachyderm.io/users/cvtsi2sd/statuses/115929204803595875

@cvtsi2sd @benjojo
speaking of service names, I'm still mad that getaddrinfo() has the perfect API to transparently resolve SRV records and yet it doesn't, and also I don't know of anyone passing a service name to it

sully@splodge.fluff... replied 20 Jan 2026 21:36 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/68534172TctqTdZDXz

@benjojo Brunel in the 90s controlled inbound access to tcp ports below 1024. The cheeky scamps running the student radio FreeBSD box didn't have sshd also listening on 2222, nooooooo