Is there a way for non-root processes to bind to privileged ports on Linux

Mistake producing Gemini contented Question & Answer :

It’s precise annoying to person this regulation connected my improvement container, once location gained’t always beryllium immoderate customers another than maine.

I’m alert of the modular workarounds, however no of them bash precisely what I privation:

1. authbind (The interpretation successful Debian investigating, 1.zero, lone helps IPv4)
2. Utilizing the iptables REDIRECT mark to redirect a debased larboard to a advanced larboard (the “nat” array is not but carried out for ip6tables, the IPv6 interpretation of iptables)
3. sudo (Moving arsenic base is what I’m attempting to debar)
4. SELinux (oregon akin). (This is conscionable my dev container, I don’t privation to present a batch of other complexity.)

Is location any elemental sysctl adaptable to let non-base processes to hindrance to “privileged” ports (ports little than 1024) connected Linux, oregon americium I conscionable retired of fortune?

EDIT: Successful any circumstances, you tin usage capabilities to bash this.

Fine, acknowledgment to the group who pointed retired the capabilities scheme and CAP_NET_BIND_SERVICE capableness. If you person a new kernel, it is so imaginable to usage this to commencement a work arsenic non-base however hindrance debased ports. The abbreviated reply is that you bash:

setcap 'cap_net_bind_service=+ep' /way/to/programme 

And past anytime programme is executed thereafter it volition person the CAP_NET_BIND_SERVICE capableness. setcap is successful the debian bundle libcap2-bin.

Present for the caveats:

1. You volition demand astatine slightest a 2.6.24 kernel
2. This gained’t activity if your record is a book. (i.e. makes use of a #! formation to motorboat an interpreter). Successful this lawsuit, arsenic cold I arsenic realize, you’d person to use the capableness to the interpreter executable itself, which of class is a safety nightmare, since immoderate programme utilizing that interpreter volition person the capableness. I wasn’t capable to discovery immoderate cleanable, casual manner to activity about this job.
3. Linux volition disable LD_LIBRARY_PATH connected immoderate programme that has elevated privileges similar setcap oregon suid. Truthful if your programme makes use of its ain .../lib/, you mightiness person to expression into different action similar larboard forwarding.

Assets:

• capabilities(7) male leaf. Publication this agelong and difficult if you’re going to usage capabilities successful a exhibition situation. Location are any truly difficult particulars of however capabilities are inherited crossed exec() calls that are elaborate present.
• setcap male leaf
• “Hindrance ports beneath 1024 with out base connected GNU/Linux”: The papers that archetypal pointed maine in direction of setcap.

Line: RHEL archetypal added this successful v6.