If you are on Solaris (10 or higher works from experience) you can grant a single user the ability to bind to the lower ports:
usermod -K defaultpriv=basic,net_privaddr ${user}
You can off course also assign the privileges to a role, and then assign the user that role so as required they can su to the role and use the privileges.
setcap solves the problem in the wrong way in this scenario imho: With setcap, any user could run node with a node script using ports < 1024.
What would be more useful is the ability to allow a _user_ to open a privileged port. In my option mappu's answer is the right way to go, i.e. using authbind to allow a certain user to open a port or a range of ports.
It's probably a better idea to just run nginx on port 80 and proxy requests through in any sort of real environment. And if you're not in production...well, it doesn't really matter which port you choose anyway.
Alternatively, if you don't trust a large program with dropping root, you can factor out the binding and listening into a separate program. Then accepting and everything beyond can be done with normal privileges.
Assuming a tcpserver-like program called tcplisten, this would look like
I wrote a similar article a few weeks ago (http://syskall.com/dont-run-node-dot-js-as-root/) but have since then realized that changing the process' UID brings a lot of unexpected problems and a much simpler solution is to use a higher port and proxy via nginx. For example, if you initialize a logger before starting your HTTP server and changing the process UID, you will might create root owned files and eventually run into permission conflicts.
Actually, even in the classical Unix security model, setuid'ing to nobody is considered a bad idea. Because so many services do it, giving an attacker an opportunity to become nobody will likely grant him access to those other services as well.
[+] [-] ejdyksen|13 years ago|reply
[+] [-] X-Istence|13 years ago|reply
Here is a pretty neat description of what is possible and why it is pretty awesome: http://www.c0t0d0s0.org/archives/4075-Less-known-Solaris-fea...
---
On FreeBSD if you have the MAC framework enabled, you can use the portacl module to give new privileges:
See http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ma... for more information.[+] [-] typpo|13 years ago|reply
[+] [-] ruxkor|13 years ago|reply
What would be more useful is the ability to allow a _user_ to open a privileged port. In my option mappu's answer is the right way to go, i.e. using authbind to allow a certain user to open a port or a range of ports.
[+] [-] hahainternet|13 years ago|reply
[+] [-] Hello71|13 years ago|reply
[+] [-] wonnage|13 years ago|reply
[+] [-] m0th87|13 years ago|reply
[+] [-] parasight|13 years ago|reply
[+] [-] jaytaylor|13 years ago|reply
[1] http://haproxy.1wt.eu
[+] [-] trebor|13 years ago|reply
[+] [-] mappu|13 years ago|reply
http://en.wikipedia.org/wiki/Authbind
[+] [-] darklajid|13 years ago|reply
[+] [-] renownedmedia|13 years ago|reply
[+] [-] sigil|13 years ago|reply
Assuming a tcpserver-like program called tcplisten, this would look like
FastCGI works similarly. Multiple workers can run underneath, calling accept(2) on stdin.A simple implementation of tcplisten:
https://gist.github.com/4211098
[+] [-] olalonde|13 years ago|reply
[+] [-] Hello71|13 years ago|reply
[+] [-] zorked|13 years ago|reply
[+] [-] jeremiep|13 years ago|reply