Explanation for newbies: setuid is a special permission bit that makes an executable run with the permissions of its owner rather than the user executing it. This is often used to let a user run a specific program as root without having sudo access.
If this sounds like a security nightmare, that’s because it is.
In linux, setuid is slowly being phased out by Capabilities. An example of this is the ping command which used to need setuid in order to create raw sockets, but now just needs the cap_net_raw capability. More info: https://unix.stackexchange.com/questions/382771/why-does-ping-need-setuid-permission. Nevertheless, many linux distros still ship with setuid executables, for example passwd from the shadow-utils package.
Last time I was tempted to use suid, it was in order to allow an application I’d written to listen on 80 and 443. Fortunately I found the capabilities way of doing that (
setcap 'cap_net_bind_service=+ep' executable) and that was the first I ever heard of capabilities. I consider myself pretty Linux-savvy, but it was pretty recently that I learned about capabilities.Another potential option here is https://www.kernel.org/doc/html/latest/networking/ip-sysctl.html
ip_unprivileged_port_start - INTEGER This is a per-namespace sysctl. It defines the first unprivileged port in the network namespace. Privileged ports require root or CAP_NET_BIND_SERVICE in order to bind to them. To disable all privileged ports, set this to 0. They must not overlap with the ip_local_port_range. Default: 1024This is also per namespace so you could use it in combination with network namespaces if you really wanted to keep privileged ports.