Security implications of granting non-root access to privileged ports (<1024)

When you're using rootless Docker/Podman, the risks of allowing users to bind ports < 1024, generally depend on what else is happening on the system.

TBH the old restriction on low ports doesn't really apply that much any more, as loads of sensitive ports are over 1024 (e.g. Docker itself which will default to listening on 2375 or 2376).

There could be a risk where, for example, you had a sensitive service which you wanted to listen on a low port, and you were concerned that a user launched service would clash with it, or if you have multiple users who may want to bind a port on a host, and a malicious user could try to get access to it, before the "expected" user.

However where that's not the case, you're probably fine to allow this. Docker's recommended solution here is to allow this for all low ports, which is less fine grained than the podman recommendation you mention.


It depends on your system.

If it's a multi-user system with multiple users able to run docker, you may fall victim to a race attack, where a malicious docker container is started when your legitimate docker is restarting for some reason.

However, it's worth noting that becoming root if you can access docker is generally trivial, and securing your docker installation is something you should consider if you use it in production.

So allowing docker to bind directly to port below 1024 may be a convenient feature worth the security trade off on a single user system - or you may decide that it's not worth it in other scenarios. One alternative is to set up a web server (e.g. nginx or Apache) as reverse proxy in front of the docker service. The web server will face the world, and can handle tls termination, while the docker doesn't need to care about certificates - and can listen on a unprivileged port.

Tags:

Docker

Ports