Propose CAP_NET_BIND_SERVICE instead running Synapse with root (#18408)

smoorg · web-flow · commit 586b82e5800d · 2025-06-04T20:44:25.000Z
There are alternative ways to use low numbered ports besides root. Users
might be mislead into thinking they should run Synapse with root
privileges.
diff --git a/changelog.d/18408.doc b/changelog.d/18408.doc
@@ -0,0 +1 @@
+Mention `CAP_NET_BIND_SERVICE` as an alternative to running Synapse as root in order to bind to a privileged port.
diff --git a/docs/reverse_proxy.md b/docs/reverse_proxy.md
@@ -5,10 +5,10 @@ It is recommended to put a reverse proxy such as
 [Apache](https://httpd.apache.org/docs/current/mod/mod_proxy_http.html),
 [Caddy](https://caddyserver.com/docs/quick-starts/reverse-proxy),
 [HAProxy](https://www.haproxy.org/) or
-[relayd](https://man.openbsd.org/relayd.8) in front of Synapse. One advantage
-of doing so is that it means that you can expose the default https port
-(443) to Matrix clients without needing to run Synapse with root
-privileges.
+[relayd](https://man.openbsd.org/relayd.8) in front of Synapse.
+This has the advantage of being able to expose the default HTTPS port (443) to Matrix
+clients without requiring Synapse to bind to a privileged port (port numbers less than
+1024), avoiding the need for `CAP_NET_BIND_SERVICE` or running as root.
 
 You should configure your reverse proxy to forward requests to `/_matrix` or
 `/_synapse/client` to Synapse, and have it set the `X-Forwarded-For` and

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+Mention `CAP_NET_BIND_SERVICE` as an alternative to running Synapse as root in order to bind to a privileged port.