setcap Linux Command

Today I learned something new that I want to share with you. I knew that listening on port below 1024 requires special privilege, and to accomplish that you must be sudoers. But running applications with sudo is not a perfect way because that way the application can do almost anything to your operating system resulting unexpected results (you surely don’t want the application delete all your files by rm -rf).

Imagine that you have written a Golang http server and you want it to listen to port 80. To give this privilege only you can use setcap command on unix/linux systems:

sudo setcap cap_net_bind_service=+ep /your/executable/file/path

That way you have given only one privilege to your executable and nothing more, ensuring no dangerous thing will be happen.

cap_net_bind_service

is one of the many capabilities that you can use. For seeing other capabilities type :

man capabilities

That’s it :)