fsebugoutzone.org:9999

       Post B2UXNaITIVKmoM1w8G by picofarad@noauthority.social
 (DIR) More posts by picofarad@noauthority.social
 (DIR) Post #B2UDdTy8auBMjep3i4 by benjojo@benjojo.co.uk
       2026-01-20T19:32:09Z
       
       0 likes, 0 repeats
       
       It is kind of funny that the first allocated port outside of the &quot;Well-known&quot; (aka below port 1024) range is just a random &quot;network blackjack&quot; entry at port 1025
       
 (DIR) Post #B2UDdV9WC4scPF9f5U by benjojo@benjojo.co.uk
       2026-01-20T19:36:17Z
       
       0 likes, 0 repeats
       
       Also worth reiterating that the concept of &quot;well-known&quot; is a incredibly stupid UNIX-ism that doesn&#39;t really deserve to exist today however some extremely fringe (and silly) cases around backwards compatibility (that are depending on authenticating based on a port number)you can fix the stupidity by settingsysctl net.ipv4.ip_unprivileged_port_start=23There is some argument to set it just below SSH (port 22) to prevent some stupid service from being able to bind on to port 22, But anything above that should be fair game lifting this limitation stops you from having to give applications root when they start up, or bless them with some systems capability flag through the file system
       
 (DIR) Post #B2UDdW0h0NPl4A27yC by wolf480pl@mstdn.io
       2026-01-20T19:51:18Z
       
       0 likes, 0 repeats
       
       @benjojo or you could pass the listen socket to them at startup from some privileged wrapper (xinetd, or systemd, or s6-tcpserver-sockedbinder, etc)
       
 (DIR) Post #B2UEdqjI4T0fHQcIwS by wolf480pl@mstdn.io
       2026-01-20T20:02:36Z
       
       0 likes, 0 repeats
       
       @cvtsi2sd @benjojo speaking of service names, I&#39;m still mad that getaddrinfo() has the perfect API to transparently resolve SRV records and yet it doesn&#39;t, and also I don&#39;t know of anyone passing a service name to it
       
 (DIR) Post #B2UUyjoGam3bAOvVsu by picofarad@noauthority.social
       2026-01-20T23:05:42Z
       
       0 likes, 0 repeats
       
       @benjojo i... just... use... a reverse proxy like haproxy if i don&#39;t want to run as root or whatever. 9 times out of ten whatever i am setting up doesn&#39;t even have a public IP anyhow so who cares
       
 (DIR) Post #B2UXNZJUxCYrlFVF5s by benjojo@benjojo.co.uk
       2026-01-20T23:31:50Z
       
       0 likes, 0 repeats
       
       @picofarad I mean sure, but the overall point is that the fact you (without tweaking this sysctl or setting the fs capability flag) have to run your application as root to bind on 80/443 is really quite silly, and gives your applications a lot of exposure to things, even if they drop down to some other user shortly after binding
       
 (DIR) Post #B2UXNaITIVKmoM1w8G by picofarad@noauthority.social
       2026-01-20T23:32:35Z
       
       0 likes, 0 repeats
       
       @benjojo i agree, it&#39;s why i don&#39;t mess with it in general :-)