Also worth reiterating that the concept of "well-known" is a incredibly stupid UNIX-ism that doesn't really deserve to exist today however some extremely fringe (and silly) cases around backwards compatibility (that are depending on authenticating based on a port number)

you can fix the stupidity by setting

sysctl net.ipv4.ip_unprivileged_port_start=23

There is some argument to set it just below SSH (port 22) to prevent some stupid service from being able to bind on to port 22, But anything above that should be fair game lifting this limitation stops you from having to give applications root when they start up, or bless them with some systems capability flag through the file system

@picofarad I mean sure, but the overall point is that the fact you (without tweaking this sysctl or setting the fs capability flag) have to run your application as root to bind on 80/443 is really quite silly, and gives your applications a lot of exposure to things, even if they drop down to some other user shortly after binding

@noisytoot does it actually matter which users are binding to the ports?

I generally operate on the rule of thumb that security in a multi-used system is actually dead, if there is a compromise in one of the users, I just assume that root has been compromised as well

Obviously I am not running timeshare systems here or anything similar to that so your mileage may vary

@noisytoot

but even if you're the only actual user, one of the users being compromised doesn't necessarily mean that root is compromised

Yeah but you say a bit of an load bearing "doesn't necessarily" there, I think the only reasonable position to take on multi user systems over the years (at least where there are real stakes) is that a compromise have any user on a multi user system should be treated as a full system compromise. There are just too many variables and they are realistically to hard to verify/assure against, you can try and mitigate them, but assuming your tooling is in place, you should be able to blow away the machine and cycle any rights that box had on it.

(or you might as well just run everything as root)

It's important to consider nuance, just because I don't trust multi user boundaries does not mean that I'm going to actively give away surface for free, at the very least the multi user system permissions help surface bugs sometimes.

@noisytoot I think the difference between us is that you seem to think that me being able to bind on 443 as a 'random' user is a security risk, when I think not being able to is a bigger risk (because it forces various processes to be root (even if at just the stat) or blessed in a magical way)

@cvtsi2sd @wolf480pl ah yes but you see we have a modern day version of this, port 443 + ALPN ;)