• Synthead@lemmy.ml
    link
    fedilink
    arrow-up
    27
    arrow-down
    3
    ·
    edit-2
    1 year ago

    The reason you can’t host as port 80 on unmodified Android isn’t because “Google won’t let you.” Android is open source. You can do what you want with it. Android runs on Linux, and ports 0-1023 are privileged ports that can only be used as root.

    Unmodified Android does not allow userland apps to run as root for very good reasons, so you don’t have access to these ports. That’s all there is to it. If you attempted to do the same thing on Ubuntu, you would also not be able to use port 80 without root.

    However, this is a naive approach to hosting a website. Production web stacks, when hosted on a machine, typically use a least-privileged model where not only ports are banned, but most file access is, too.

    Most dynamic web stacks won’t host on port 80 directly. Most will serve either a socket connection or host multiple ports on threads, i.e. ports 3000 to 3007. These connections would then be proxied via something like Nginx to serve as a load balancer, and Nginx can also manage SSL for you, too.

    If Nginx is started as root, it can host on port 80. If not, serve on port 8080 and use NAT to redirect it to port 80 with your firewall. You are using a firewall for publicly-hosted content, right?

    • spader312@lemmy.world
      link
      fedilink
      arrow-up
      8
      arrow-down
      1
      ·
      1 year ago

      It’s also not practical. Why would I want outside people connecting to my phone constantly? Security risk? Battery drain? Inconsistent IP Address? Just host it somewhere designed for hosting lol

    • lazylion_ca@lemmy.ca
      link
      fedilink
      arrow-up
      4
      arrow-down
      1
      ·
      1 year ago

      The other issue is phones would not typically have a public IP without ipv6. You are also unlikely to have a static (consistent) IP address.

      • Synthead@lemmy.ml
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        1 year ago

        I don’t think it’s a great idea to host a website on cellular data. If I had to serve something with a mobile device, I’d use USB networking, or a USB to Ethernet adapter.

    • Skull giver@popplesburger.hilciferous.nlOP
      link
      fedilink
      arrow-up
      4
      arrow-down
      9
      ·
      1 year ago

      You don’t need root to run on port 80, though. And on Ubuntu you can run a server on port 80 as well as long as the software is set up right. It’s the easiest way (and the way the “just disable SELinux” guides often recommend) but there are much better mechanisms for that.

      Even if you start nginx as root under normal circumstances, nginx will drop privileges and switch to another user ID exactly because of the root user risks. Nobody wants to run web servers as root, and nobody wants Android to just add root capabilities to the standard config.

      All you need is to either CAP_NET_BIND_SERVICE=+ep on the web server or to alter net.ipv4.ip_unprivileged_port_start (just set it to 0 in your system image and ports will just work). The kernel can do this dynamically, like it handles most sandboxing and permissions. The sysctl config is a setting you can just change and one Google could fix with just a single line of code.

      Most dynamic web stacks won’t host on port 80 directly. Most will serve either a socket connection or host multiple ports on threads, i.e. ports 3000 to 3007. These connections would then be proxied via something like Nginx to serve as a load balancer, and Nginx can also manage SSL for you, too.

      Well, yeah, but Nginx will still need to run on some kind of port. 80 and 443 for standard web browsers. http/3 can work on any port, but support is still in beta for most web servers and leaves out a ton of clients.

      If Nginx is started as root, it can host on port 80. If not, serve on port 8080 and use NAT to redirect it to port 80 with your firewall. You are using a firewall for publicly-hosted content, right?

      I don’t use NAT for most of my services to be honest. I have about four billion IPv6 addresses available, and nginx reverse proxies work just fine for legacy IPv4 stuff.

      “Just compile your own Android” isn’t the solution you may think it is. Custom ROMs are a massive pain. Unlocking the bootloader to install it will do all kinds of weird things. Things like “wiping all data” for one, and sometimes also clearing the DRM keys, breaking streaming apps on the device forever. On some Samsung phone unlocking the bootloader will disable the camera firmware, breaking most camera features until the bootloader is locked again.

      • Synthead@lemmy.ml
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        I wouldn’t want to reduce security by allowing privileged ports as any user, or running modified operating systems that have lessened security baked-in. This security principle is in place for good reasons, and they should remain in place.

        If you are exposing your LAN to your Internet connection, you’re doing something wrong. If you are not, but are using a firewall that doesn’t support NAT, then I don’t trust your firewall. If your firewall supports NAT, and you’re attempting to subvert Linux security measures instead of using it, then you’re doing something wrong.

        • Skull giver@popplesburger.hilciferous.nlOP
          link
          fedilink
          arrow-up
          2
          arrow-down
          1
          ·
          1 year ago

          I’m not sure what the security benefits of privileged ports is. Any user can run RDP, OpenVPN/Wireguard, LDAP, and a bunch of other protocols on their standard ports, but thank god they can’t run FTP or HTTP servers! IMAP servers sure are dangerous, but SIP servers should be available to any user for security purposes of course. KDE Connect will open fifty ports for SSH servers, but the important thing is that none of those ports is 22 so all is well.

          macOS abolished them a while ago and I don’t believe macs and iPhones are getting hacked left, right, and center. The security benefit is there for systems shared by many users, preventing a standard user from impersonating operating system services. There are a few shared hosts with terminal access that still need these protections, but my phone doesn’t.

          As for the firewall: if you have NAT enabled on a consumer router, your firewall is essentially open the moment any device on your network runs external code, i.e. any app. Some consumer hardware can even be tricked by regular WebRTC/HTTP traffic, though that’s harder to pull off; those mechanisms only allow incoming traffic to any local port of an attacker’s choosing, not to any port on any device in your network. Thank NAT ALGs and NAT slipstreaming for that; it’s as if UPnP never went away!

          I suppose you could run your own NAT without any ALGs and just not use protocols like passive FTP or SIP, but that would require a custom setup like an OpenWRT router or something of that nature.