Summary
The README recommends setting net.ipv4.ip_unprivileged_port_start=0 system-wide so non-root processes can bind privileged ports.
Evidence
README.md:137-149 documents the sysctl change as part of setup guidance.
Risk
This weakens host isolation for every unprivileged process on the machine, not just this stack.
Suggested Remediation
- Prefer a reverse proxy, rootless port-forwarding pattern, socket activation, or a documented host-level alternative that does not globally lower the privileged-port boundary.
- If the sysctl remains documented, mark it clearly as a last-resort tradeoff rather than a normal setup step.
Summary
The README recommends setting
net.ipv4.ip_unprivileged_port_start=0system-wide so non-root processes can bind privileged ports.Evidence
README.md:137-149documents the sysctl change as part of setup guidance.Risk
This weakens host isolation for every unprivileged process on the machine, not just this stack.
Suggested Remediation