Explanation for newbies: setuid is a special permission bit that makes an executable run with the permissions of its owner rather than the user executing it. This is often used to let a user run a specific program as root without having sudo access.

If this sounds like a security nightmare, that’s because it is.

In linux, setuid is slowly being phased out by Capabilities. An example of this is the ping command which used to need setuid in order to create raw sockets, but now just needs the cap_net_raw capability. More info: https://unix.stackexchange.com/questions/382771/why-does-ping-need-setuid-permission. Nevertheless, many linux distros still ship with setuid executables, for example passwd from the shadow-utils package.

  • qqq@lemmy.world
    4·
    2 days ago

    Another potential option here is https://www.kernel.org/doc/html/latest/networking/ip-sysctl.html

    ip_unprivileged_port_start - INTEGER

    This is a per-namespace sysctl. It defines the first unprivileged port in the network namespace. Privileged ports require root or CAP_NET_BIND_SERVICE in order to bind to them. To disable all privileged ports, set this to 0. They must not overlap with the ip_local_port_range.

    Default: 1024

    This is also per namespace so you could use it in combination with network namespaces if you really wanted to keep privileged ports.