Running python webservers on port 80 without root

If you want to have a python webserver running locally and listening on port 80 – or any other port < 1024, you can do it like this:

$ sudo setcap 'cap_net_bind_service=+ep' /usr/bin/python3.8

This gives the /usr/bin/python3.8 binary the ability to bind to privileged ports without being root. Note that this only works for real files, not symlinks, so this will probably not work, as python is generally a symlink:

$ sudo setcap 'cap_net_bind_service=+ep' $(which python)`

I wanted this so that the invoke livereload thing for this blog, could take over from Nginx for local development, giving me incremental live rebuilding & reloading while editing. This happens to use tornado underneath, which is a Python webserver.

Removing Capabilities

If you want to undo this, you do this:

# to remove just that one capability, use -ep
$ sudo setcap 'cap_net_bind_service=-ep' /usr/bin/python3.8

# to see that capabilities on a file
$ getcap  /usr/bin/python3.8

# to remove all of them
$ sudo setcap -r /usr/bin/python3.8


Related Posts