So you want to expose Go on the Internet

[brobinson]

>running on 80 or 443 needs root access

Not necessarily:

    setcap 'cap_net_bind_service=+ep' your_go_binary
    ./your_go_binary

[jaredklewis]

This interesting, I have never seen setcap. It seems it doesn't work with scripts (ruby, python) and if you are using JVM/mono/beam you will need to setcap the whole VM, but a very cool solution for a language like Go with binaries!

[kokada]

My two cents, you probably need to apply setcap in Python interpreter itself instead of the script. It shouldn't be a problem though, since you probably will use a virtualenv anyway.

Another option would be to drop privileges at runtime.

[poooogles]

>It shouldn't be a problem though, since you probably will use a virtualenv anyway.

virtualenvs don't create a new interpreter, they just fudge the python path?

Definitely not recommended on interpreted languages (although we use it all the time on our go apps).

[kokada]

They create a copy of the binary of the interpreter, you can even call it directly instead of activating the virtualenv first.

[grey-area]

If you have a service run with systemd you can use this in the unit file:

AmbientCapabilities=CAP_NET_BIND_SERVICE

otherwise you'll have to run setcap any time the binary changes.