Propose CAP_NET_BIND_SERVICE instead running Synapse with root (#18408)

There are alternative ways to use low numbered ports besides root. Users might be mislead into thinking they should run Synapse with root privileges.
2025-12-05 01:10:13 +00:00 · 2025-06-04 22:44:25 +02:00
parent 9b2bc75ed4
commit 586b82e580
2 changed files with 5 additions and 4 deletions
--- a/changelog.d/18408.doc
+++ b/changelog.d/18408.doc
@@ -0,0 +1 @@
+Mention `CAP_NET_BIND_SERVICE` as an alternative to running Synapse as root in order to bind to a privileged port.
--- a/docs/reverse_proxy.md
+++ b/docs/reverse_proxy.md
@@ -5,10 +5,10 @@ It is recommended to put a reverse proxy such as
 [Apache](https://httpd.apache.org/docs/current/mod/mod_proxy_http.html),
 [Caddy](https://caddyserver.com/docs/quick-starts/reverse-proxy),
 [HAProxy](https://www.haproxy.org/) or
-[relayd](https://man.openbsd.org/relayd.8) in front of Synapse. One advantage
-of doing so is that it means that you can expose the default https port
-(443) to Matrix clients without needing to run Synapse with root
-privileges.
+[relayd](https://man.openbsd.org/relayd.8) in front of Synapse.
+This has the advantage of being able to expose the default HTTPS port (443) to Matrix
+clients without requiring Synapse to bind to a privileged port (port numbers less than
+1024), avoiding the need for `CAP_NET_BIND_SERVICE` or running as root.

 You should configure your reverse proxy to forward requests to `/_matrix` or
 `/_synapse/client` to Synapse, and have it set the `X-Forwarded-For` and
				`@@ -0,0 +1 @@`
				Mention `CAP_NET_BIND_SERVICE` as an alternative to running Synapse as root in order to bind to a privileged port.