ocaml-cohttp icon indicating copy to clipboard operation
ocaml-cohttp copied to clipboard
verified publisher icon mirage

Using port 80 as non root user

Open balat opened this issue 3 years ago • 2 comments

Hello,

Ocsigen Server switched to cohttp recently. But there is still a regression:

For security reasons, we don't want to run the server as root user. To bind port 80 or 443, the server needs to be launched as root, and we switch to another user after binding the ports.

But I don't see a way in cohttp to be alerted just after bind/listen (or to provide a callback to be executed at that moment).

This issue has been discussed here: https://discuss.ocaml.org/t/eliom-runtime-errors-zero-compile-time-errors/10537/14

Thanks by advance! Vincent

balat avatar Oct 05 '22 10:10 balat

While there's no callback for "post binding" in cohttp, you can avoid launching the binary as root on Linux by running:

setcap 'cap_net_bind_service=+ep' <binary file>

This will then allow it to bind to a low port as a non privileged user.

avsm avatar Oct 05 '22 12:10 avsm

Thank you Anil for the idea! Indeed we can suggest our users to do that until there is a solution.

balat avatar Oct 06 '22 16:10 balat