Skip to main content
The 2024 Developer Survey results are live! See the results
Super User

Return to Answer

URLs included with text so it doesn't pollute the answer, formatting cleanup, etc
Source Link
Justine Krejcha
Justine Krejcha
  • 2.3k
  • 2
  • 17
  • 28

If you are running systemd and linux, then you can simply add to the server unit file:

# /etc/systemd/system/http_server.service
# ...
[Service]
# ...
AmbientCapabilities=AmbientCapabilities = CAP_NET_BIND_SERVICE

And, if, in addition, you want your web server to never gain additional capabilities, you may also add:

CapabilityBoundingSet=CapabilityBoundingSet = CAP_NET_BIND_SERVICE

Read more at - the rather involved - man page, capabilities(7), https://man7.org/linux/man-pages/man7/capabilities.7.html, and also at https://unix.stackexchange.com/questions/580597/what-is-the-difference-between-ambientcapabilities-and-capabilityboundingset. AndAlso see systemd.exec(5), https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html,

for a description of those systemd service unit file configuration options, which define the execution environment of spawned processes.

If you are running systemd and linux, then you can simply add to the server unit file:

# /etc/systemd/system/http_server.service
...
[Service]
...
AmbientCapabilities= CAP_NET_BIND_SERVICE

And, if, in addition, you want your web server to never gain additional capabilities, you may also add:

CapabilityBoundingSet= CAP_NET_BIND_SERVICE

Read more at - the rather involved - man page, capabilities(7), https://man7.org/linux/man-pages/man7/capabilities.7.html, and also at https://unix.stackexchange.com/questions/580597/what-is-the-difference-between-ambientcapabilities-and-capabilityboundingset. And see systemd.exec(5), https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html, for a description of those systemd service unit file configuration options, which define the execution environment of spawned processes.

If you are running systemd and linux, then you can simply add to the server unit file:

# /etc/systemd/system/http_server.service
# ...
[Service]
# ...
AmbientCapabilities = CAP_NET_BIND_SERVICE

And, if, in addition, you want your web server to never gain additional capabilities, you may also add:

CapabilityBoundingSet = CAP_NET_BIND_SERVICE

Also see

for a description of those systemd service unit file configuration options, which define the execution environment of spawned processes.

Source Link
thx1111
thx1111
  • 41
  • 1

If you are running systemd and linux, then you can simply add to the server unit file:

# /etc/systemd/system/http_server.service
...
[Service]
...
AmbientCapabilities= CAP_NET_BIND_SERVICE

And, if, in addition, you want your web server to never gain additional capabilities, you may also add:

CapabilityBoundingSet= CAP_NET_BIND_SERVICE

Read more at - the rather involved - man page, capabilities(7), https://man7.org/linux/man-pages/man7/capabilities.7.html, and also at https://unix.stackexchange.com/questions/580597/what-is-the-difference-between-ambientcapabilities-and-capabilityboundingset. And see systemd.exec(5), https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html, for a description of those systemd service unit file configuration options, which define the execution environment of spawned processes.