I can bind to port 80 as a non-root user in a docker container. Why? What's going on?

Question

Short version:

I can bind to port 80 inside a docker container while running as a non-root user. Please explain.

Long version:

I'm newish to docker, but have a lot of experience otherwise. Everything is making sense to me except this behavior.

I've tried with both the Google centos base image, and the latest docker ubuntu image.

I build a docker image off those bases with the following Dockerfile:

FROM marketplace.gcr.io/google/centos7

# or for ubuntu
# FROM ubuntu
# RUN apt-get update -y && apt-get install -y python

RUN groupadd -g 1000 container && useradd -r -u 1000 -g container container
USER container

Great. Then I build and run it with docker run --rm -it <img_name>, and now I'm in the container with whoami returning "container". I don't have root privileges. touch /root/foo fails with access denied.

Ok, cool. Non-root user, running without root privileges. I can't sudo. I can't su root. Just like I expect.

Then I run:

python -m SimpleHTTPServer 80 and it happily binds to port 80. I can run curl localhost inside the container and I get a response.

What's going on? What am I missing.

Thanks for any help.

I'm running Docker for Mac if it matters. I don't expect it does. (I expected wrong.)

Answer 1

This behavior was added in 20.3.0 by changing the value of net.ipv4.ip_unprivileged_port_start inside the network namespace to be 0, effectively making all ports unprivileged. Since containers typically run a single app, there's little value to restricting that app to only listen on privileged ports like you would want on a multi-user host.

Answer 2

I just tried this with ubuntu:18.04 image on Linux Host and it fails to bind to port 80. I repeated on a Mac and the same that is happening to you happened there.

Now on the Mac you CAN bind to lower ports with non root user (just try running python -m SimpleHTTPServer 80 as your login user) So maybe this is normal on the Mac.