4

A colleague of mine recently pushed a change to the development config for our nginx. He changed the port from 8080 to 80. It's a rather lazy fix for a development-only issue. I reviewed the change and challenged it, calling it not idiomatic for development. Now he's pushing me for more reasons why it's not ok. I think that's a completely reasonable line of enquiry but I am having difficulty understanding exactly why it's a bad idea -- maybe it isn't?

Things I have found:

  • Port 80 is within the 'special' port range (< 1024) and therefore should be reserved for 'special' use (and development does not fall into this category).
  • Historically, partially for the above reason, port 80 is reserved for "root" user and therefore running a daemon on port 80 would imply it has (or required) root priviledge, which isn't the case.

None of these cases are super compelling so is there anything else we should be aware of?

nginx is containerised

Robert Harvey
  • 198,589
  • 55
  • 464
  • 673
Antony Woods
  • 353
  • 1
  • 3
  • 10
  • 6
    That ports < 1024 are reserved for root is not a historic limitation, it's still the case. You'd have to run your development nginx as root to bind to that port. Running development workloads as root is a bad idea, since misconfigurations could break the system. This probably doesn't matter if you're running nginx in a container though. – amon Oct 20 '21 at 11:09
  • 1
    I have no idea why this question is being downvoted. Please can you elaborate in the comments? – Antony Woods Oct 20 '21 at 14:01
  • 1
    @AntonyWoods Your question concerns software engineering practices, is concise, and is clear, so +1 from me. If anything, you might want to juggle a bit with your tags as they all seem to be quite inactive (I'm not sure which one would be better, but I'd at least remove [nginx] as it does not seem relevant to your question). – Vincent Savard Oct 20 '21 at 14:39
  • 1
    @amon: That's as good an answer as any. – Robert Harvey Oct 20 '21 at 14:42
  • @amon I would argue that running any server as root is a security risk. It greatly increases the potential impact of a vulnerability. The idea that doing it in development is somehow worse in than in production seems strange to me. – JimmyJames Oct 20 '21 at 15:35
  • @JimmyJames: The principle there is that the development environment should be a "safe" one. Why expose public ports unnecessarily? This is, of course, also true of production environments, but the developer really shouldn't have to worry about being hacked in a development environment. – Robert Harvey Oct 20 '21 at 17:08
  • @RobertHarvey Maybe I'm missing something but from what I can tell, a port needs to be exposed regardless. The question is whether that port is bound to one that requires root access. The 'right way', as I understanding it is to bind and then change the owner of the process to a user with [minimized privileges](https://en.wikipedia.org/wiki/Principle_of_least_privilege). I don't see why you couldn't do that in development. I can understand why you wouldn't want to bother with that though. – JimmyJames Oct 20 '21 at 17:53

1 Answers1

4

The potential issue with running on port 80 is that it's in the range that requires root access to bind to it (at least in *nix.) The problem with running a server under root is that the impact of potential exploits is much higher. For example a server with a path traversal flaw could access the shadow file if it's running with root privileges.

You should not be running your server with root/superuser privileges in any environment. The user should be switched to something with minimal privileges after binding if you need to bind to 80 or 443 etc.

If the user is switched to deprivilege the process in dev, I don't see any particular problem with running on 80. If you don't want to do that in dev or can't enforce it, then that's your reason for restricting it. I would just make sure your colleague and other team members understand the real issue is not so much the port number but the risks of running a server as root.

JimmyJames
  • 24,682
  • 2
  • 50
  • 92