4

A colleague of mine recently pushed a change to the development config for our nginx. He changed the port from 8080 to 80. It's a rather lazy fix for a development-only issue. I reviewed the change and challenged it, calling it not idiomatic for development. Now he's pushing me for more reasons why it's not ok. I think that's a completely reasonable line of enquiry but I am having difficulty understanding exactly why it's a bad idea -- maybe it isn't?

Things I have found:

  • Port 80 is within the 'special' port range (< 1024) and therefore should be reserved for 'special' use (and development does not fall into this category).
  • Historically, partially for the above reason, port 80 is reserved for "root" user and therefore running a daemon on port 80 would imply it has (or required) root priviledge, which isn't the case.

None of these cases are super compelling so is there anything else we should be aware of?

nginx is containerised

Robert Harvey
  • 200,592
Antony Woods
  • 353
  • 1
  • 3
  • 11

1 Answers1

4

The potential issue with running on port 80 is that it's in the range that requires root access to bind to it (at least in *nix.) The problem with running a server under root is that the impact of potential exploits is much higher. For example a server with a path traversal flaw could access the shadow file if it's running with root privileges.

You should not be running your server with root/superuser privileges in any environment. The user should be switched to something with minimal privileges after binding if you need to bind to 80 or 443 etc.

If the user is switched to deprivilege the process in dev, I don't see any particular problem with running on 80. If you don't want to do that in dev or can't enforce it, then that's your reason for restricting it. I would just make sure your colleague and other team members understand the real issue is not so much the port number but the risks of running a server as root.

JimmyJames supports Canada
  • 30,578
  • 3
  • 59
  • 108