4

A colleague of mine recently pushed a change to the development config for our nginx. He changed the port from 8080 to 80. It's a rather lazy fix for a development-only issue. I reviewed the change and challenged it, calling it not idiomatic for development. Now he's pushing me for more reasons why it's not ok. I think that's a completely reasonable line of enquiry but I am having difficulty understanding exactly why it's a bad idea -- maybe it isn't?

Things I have found:

  • Port 80 is within the 'special' port range (< 1024) and therefore should be reserved for 'special' use (and development does not fall into this category).
  • Historically, partially for the above reason, port 80 is reserved for "root" user and therefore running a daemon on port 80 would imply it has (or required) root priviledge, which isn't the case.

None of these cases are super compelling so is there anything else we should be aware of?

nginx is containerised

Improve this question
7
  • 6
    That ports < 1024 are reserved for root is not a historic limitation, it's still the case. You'd have to run your development nginx as root to bind to that port. Running development workloads as root is a bad idea, since misconfigurations could break the system. This probably doesn't matter if you're running nginx in a container though. Commented Oct 20, 2021 at 11:09
  • 1
    I have no idea why this question is being downvoted. Please can you elaborate in the comments? Commented Oct 20, 2021 at 14:01
  • 1
    @AntonyWoods Your question concerns software engineering practices, is concise, and is clear, so +1 from me. If anything, you might want to juggle a bit with your tags as they all seem to be quite inactive (I'm not sure which one would be better, but I'd at least remove [nginx] as it does not seem relevant to your question). Commented Oct 20, 2021 at 14:39
  • 1
    @amon: That's as good an answer as any. Commented Oct 20, 2021 at 14:42
  • @amon I would argue that running any server as root is a security risk. It greatly increases the potential impact of a vulnerability. The idea that doing it in development is somehow worse in than in production seems strange to me. Commented Oct 20, 2021 at 15:35

1 Answer 1

Reset to default
4

The potential issue with running on port 80 is that it's in the range that requires root access to bind to it (at least in *nix.) The problem with running a server under root is that the impact of potential exploits is much higher. For example a server with a path traversal flaw could access the shadow file if it's running with root privileges.

You should not be running your server with root/superuser privileges in any environment. The user should be switched to something with minimal privileges after binding if you need to bind to 80 or 443 etc.

If the user is switched to deprivilege the process in dev, I don't see any particular problem with running on 80. If you don't want to do that in dev or can't enforce it, then that's your reason for restricting it. I would just make sure your colleague and other team members understand the real issue is not so much the port number but the risks of running a server as root.

Improve this answer
1
  • Thanks, I think this is enough for me to have another conversation with my team and discuss what we should do Commented Oct 21, 2021 at 8:30

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.