[GH-ISSUE #58] Option to drop privileges after binding to port 53? #19

New issue

Closed

opened 2026-03-13 15:23:23 +03:00 by kerem · 2 comments

kerem commented

2026-03-13 15:23:23 +03:00

Owner

Originally created by @Daniel15 on GitHub (Mar 18, 2018).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/58

From the readme:

Please note that acme-dns needs to open a privileged port (53, domain), so it needs to be run with elevated privileges

Is it possible to add a config option to drop privileges after starting the app? A daemon running as root scares me :)

Originally created by @Daniel15 on GitHub (Mar 18, 2018). Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/58 From the readme: > Please note that acme-dns needs to open a privileged port (53, domain), so it needs to be run with elevated privileges Is it possible to add a config option to drop privileges after starting the app? A daemon running as root scares me :)

kerem closed this issue

2026-03-13 15:23:28 +03:00

kerem commented

2026-03-13 15:23:34 +03:00

Author

Owner

@joohoi commented on GitHub (Mar 18, 2018):

Building this in acme-dns would make it very much tied to the underlying operating system.

Acme-dns however allows you to configure the port used for DNS, so you can bind it to an unprivileged port and use iptables rules to handle the portforwarding using the PREROUTING chain, for example:

-A PREROUTING -i eth0 -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353

to forward public port 53 to unprivileged port 5353. Or do this directly from the edge firewall, depending of your infrastructure of course. This will allow you to run acme-dns as an unprivileged user.

@joohoi commented on GitHub (Mar 18, 2018): Building this in acme-dns would make it very much tied to the underlying operating system. Acme-dns however allows you to configure the port used for DNS, so you can bind it to an unprivileged port and use iptables rules to handle the portforwarding using the `PREROUTING` chain, for example: ``` -A PREROUTING -i eth0 -p udp -m udp --dport 53 -j REDIRECT --to-ports 5353 ``` to forward public port 53 to unprivileged port 5353. Or do this directly from the edge firewall, depending of your infrastructure of course. This will allow you to run acme-dns as an unprivileged user.

kerem commented

2026-03-13 15:23:39 +03:00

Author

Owner

@Daniel15 commented on GitHub (Mar 18, 2018):

Thanks. I ended up just granting the CAP_NET_BIND_SERVICE capability to the executable to allow it to bind to ports below 1024:

setcap 'cap_net_bind_service=+ep' /usr/local/bin/acme-dns

@Daniel15 commented on GitHub (Mar 18, 2018): Thanks. I ended up just granting the `CAP_NET_BIND_SERVICE` capability to the executable to allow it to bind to ports below 1024: ``` setcap 'cap_net_bind_service=+ep' /usr/local/bin/acme-dns ```

kerem referenced this issue

2026-03-13 16:13:19 +03:00

[PR #19] [MERGED] Fix config not being used #242