I'm not sure what the other answers and comments here are referring to. This is possible rather easily. There are two options, both which allow access to low-numbered ports without having to elevate the process to root:
Option 1: Use CAP_NET_BIND_SERVICE to grant low-numbered port access to a process:
With this you can grant permanent access to a specific binary to bind to low-numbered ports via the setcap command:
sudo setcap CAP_NET_BIND_SERVICE=+eip /path/to/binary
For more details on the e/i/p part, see cap_from_text.
After doing this, /path/to/binary will be able to bind to low-numbered ports. Note that you must use setcap on the binary itself rather than a symlink.
Option 2: Use authbind to grant one-time access, with finer user/group/port control:
The authbind (man page) tool exists precisely for this.
Install
authbindusing your favorite package manager.Configure it to grant access to the relevant ports, e.g. to allow 80 and 443 from all users and groups:
sudo touch /etc/authbind/byport/80 sudo touch /etc/authbind/byport/443 sudo chmod 777 /etc/authbind/byport/80 sudo chmod 777 /etc/authbind/byport/443Now execute your command via
authbind(optionally specifying--deepor other arguments, see the man page):authbind --deep /path/to/binary command line argsE.g.
authbind --deep java -jar SomeServer.jar
There are upsides and downsides to both of the above. Option 1 grants trust to the binary but provides no control over per-port access. Option 2 grants trust to the user/group and provides control over per-port access but, AFAIK, supports older versions supported only IPv4 (since I originally wrote this, newer versions with IPv6 support were released).
