I don't believe it is a good idea to have this thing run as root user, it is defined here:

but never actually used anywhere. It would probably need to be referenced here:

Other choices would be: www-data or httpd which are usually available on systems with http servers like apache or nginx; irc which is usually present on servers that run an ircd.

I changed the line to be
sudo -u $user $cmd 1>> "$std_log" 2>&1 &

but I have no idea if this is portable to different distributions.

(it should also be noted that you need to have root access to create ports < 1000, I am using this with "regular" webserver in front of it)

you need to have root access to create ports < 1000

*1024

A lot of people do have this running on port 80/443 by default which either root is needed or some distros support setcap to allow non-root users to listen on ports < 1024. Also to remember that not all distros have sudo installed.

I'm not entirely sure what the best way of handling all these cases are short of creating a package for each and every distro out there.

there appear to be only shitty options to solve this.

• proxy to high port number is not trivial to set up
• iptables rerouting to high port number is not trivial to set up
• authbind appears to be debian/ubuntu only
• setcap CAP_NET_BIND_SERVICE would apparently allow any node process to open ports (not just the specific kiwiirc process) (apparently considered harmful, see next post, thanks for speaking up :-) )

Feel free to close this, but I still think this should be documented somewhere.

Systemd has a solution for the port binding, see for example here: https://github.com/mholt/caddy/blob/master/dist/init/linux-systemd/caddy.service#L43

Using setcap is considered harmful.

@mestaritonttu any more info on why setcap is harmful?

Only this, like we discussed on IRC: caddyserver/caddy#528 (comment)