What’s Rancher Desktop?

Rancher Desktop runs a Kubernetes cluster in a VM on your desktop. It’ll automatically forward ports from the VM, but the host OS typically won’t allow programs to bind ports below 1024.

Failure with setcap

I tried to use setcap to tell the host OS to allow rancher-desktop to bind those ports, but this broke things. Turns out when you empower a program with those kinds of privileges, it is no longer allowed to load certain shared libraries. This is a security feature to prevent trusted programs from loading unsecure, potentially malicious libraries.

# Need the real path to the binary, not a symlink
RANCHER_DESKTOP=$(readlink -f $(which rancher-desktop))
sudo setcap CAP_NET_BIND_SERVICE=+eip $RANCHER_DESKTOP

rancher-desktop # Error, cannot load ./libffmpeg.so

Success with sysctl

After I sorted out how setcap broke things, I scrapped it and did the simpler, less secure approach of lowering the start of the protected port range to 80. On a desktop with no untrusted users, this is pretty harmless.

PERM="net.ipv4.ip_unprivileged_port_start=80"
CONF="/etc/sysctl.d/50-unprivileged-ports.conf"
sudo sysctl -w $PERM
sudo bash -c "echo '$PERM' > '$CONF'"

Why are some ports protected?

In short, it’s a holdover from when computers were shared by many users. I’ll leave it to a greybeard:

“security … all users can bind all ports” - this a vestigial security feature leftover from the olden days where everyone would share a single computer. At that time the only way to know if you were accessing the real server was to see if it connects on the correct port. Imagine if you ftp into the server thinking you’re getting the server but some rogue user on that server decided to set a fake ftp server on port 21, you’d be sending your files to the rogue user instead of the server LOL! Security has improved a lot since those days… and this “security feature” is merely an annoyance.

Stack Overflow