Skip to main content
Software Engineering

Return to Answer

added 1 character in body
Source Link
JimmyJames
JimmyJames
  • 30.9k
  • 3
  • 59
  • 110

The potential issue with running on port 80 is that it's in the range that requires root access to bind to it (at least in *nix.) The problem with running a server under root is that the impact of potential exploits is much higher. For example a server with a path traversal flaw could access the shadow file if it's running haswith root privileges.

You should not be running your server with root/superuser privileges in any environment. The user should be switched to something with minimal privileges after binding if you need to bind to 80 or 443 etc.

If the user is switched to deprivilege the process in dev, I don't see any particular problem with running on 80. If you don't want to do that in dev or can't enforce it, then that's your reason for restricting it. I would just make sure your colleague and other team members understand the real issue is not so much the port number but the risks of running a server as root.

The potential issue with running on port 80 is that it's in the range that requires root access to bind to it (at least in *nix.) The problem with running a server under root is that the impact of potential exploits is much higher. For example a server with a path traversal flaw could access the shadow file if it's running has root privileges.

You should not be running your server with root/superuser privileges in any environment. The user should be switched to something with minimal privileges after binding if you need to bind to 80 or 443 etc.

If the user is switched to deprivilege the process in dev, I don't see any particular problem with running on 80. If you don't want to do that in dev or can't enforce it, then that's your reason for restricting it. I would just make sure your colleague and other team members understand the real issue is not so much the port number but the risks of running a server as root.

The potential issue with running on port 80 is that it's in the range that requires root access to bind to it (at least in *nix.) The problem with running a server under root is that the impact of potential exploits is much higher. For example a server with a path traversal flaw could access the shadow file if it's running with root privileges.

You should not be running your server with root/superuser privileges in any environment. The user should be switched to something with minimal privileges after binding if you need to bind to 80 or 443 etc.

If the user is switched to deprivilege the process in dev, I don't see any particular problem with running on 80. If you don't want to do that in dev or can't enforce it, then that's your reason for restricting it. I would just make sure your colleague and other team members understand the real issue is not so much the port number but the risks of running a server as root.

Source Link
JimmyJames
JimmyJames
  • 30.9k
  • 3
  • 59
  • 110

The potential issue with running on port 80 is that it's in the range that requires root access to bind to it (at least in *nix.) The problem with running a server under root is that the impact of potential exploits is much higher. For example a server with a path traversal flaw could access the shadow file if it's running has root privileges.

You should not be running your server with root/superuser privileges in any environment. The user should be switched to something with minimal privileges after binding if you need to bind to 80 or 443 etc.

If the user is switched to deprivilege the process in dev, I don't see any particular problem with running on 80. If you don't want to do that in dev or can't enforce it, then that's your reason for restricting it. I would just make sure your colleague and other team members understand the real issue is not so much the port number but the risks of running a server as root.