Unprivileged Binding to Privileged Ports

Binding ports under 1024 to user processes

Normally, the Linux kernel does not allow unprivileged processes to bind to ports below 1024. Therefore, most (web) server processes run as root. From a security point of view, it is of course not ideal for the processes that handle requests from the Internet to have extensive rights, as this naturally leads directly to root rights on the entire system in the event of a hostile takeover of the process.
At this point, however, Systemd offers the possibility of allowing our service to bind to the ports by granting the corresponding process the authorization to bind to the ports below 1024 via AmbientCapabilities =CAP_NET_BIND_SERVICE. An overview of all other authorizations that can be granted can be found, for example, in the Linux man page on capabilities.

On this occasion, you can use CapabilityBoundingSet=CAP_NET_BIND_SERVICE to restrict that the service may only receive this authorization and cannot receive any other authorizations. The unit file should then look like this:

[Service]
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE

It is best to create such changes as a drop-in in a separate override file.

Translated with DeepL.com (free version)