Skip to content

Linux unprivileged user bind privileged ports

On transport protocols such as TCP, UDP, and SCTP, ports 1-1023 are by default privileged ports. To bind to a privileged port, a process must be running with root permissions. Ports that are greater than 1023 are by default non-privileged.

This is a problem when you want to run a Docker webserver image as an unprivileged user.

The best solution is to expose a unprivileged port instead of port 80. But this might break things when an image is already in use in a context that expects port 80.

To give a unprivileged process (for example varnishd) access to unprivileged ports you can use setcap.

FROM varnish:7.1.0-alpine
USER root
RUN apk add --no-cache libcap && setcap CAP_NET_BIND_SERVICE=+eip /usr/sbin/varnishd
USER varnish
Back to top