On Wed, May 19, 2021 at 8:51 AM Richard Hector wrote: > Does that not depend on whether it does anything before dropping > privileges? For example, a webserver can bind to low ports before > dropping privilege. I imagine if the systemd service unit specified > running as (eg) www-data, that wouldn't work.
I don't know the details, but I think systemd can open the ports and transparently pass them to the unprivileged process when it is spawned without any data loss, in a similar way to the inetd stuff used to work. http://0pointer.de/blog/projects/inetd.html -- bye, pabs https://wiki.debian.org/PaulWise
