No error or warnings when soft cannot bind to privileged ports (Debian 12)

[pyfon]

Describe the bug
After specifying privileged ports (22, 80) to soft serve for the SSH and/or HTTP server, when running as the default soft-serve user (as default in soft-serve.service) soft serve will start normally, but will not bind to the specified ports. No errors or warning regarding this are generated of any kind.

I believe this is a bug, because soft serve is unable to fulfill the configuration specified due to privilege issues.
This should result in the program exiting with an error, or at the very least, warning the user with a log message.
Not doing so risks confusion, and is otherwise bad practice.

Ideally, the process of binding to privileged ports with the default systemd units should be documented, or alternatively, soft could start as root to bind to whatever ports it needs, before dropping down to the soft-serve user.

To Reproduce
Debian 12 machine.
Installation (as root):

apt update
apt install curl gpg

# Install soft serve:
sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://repo.charm.sh/apt/gpg.key | sudo gpg --dearmor -o /etc/apt/keyrings/charm.gpg
echo "deb [signed-by=/etc/apt/keyrings/charm.gpg] https://repo.charm.sh/apt/ * *" | sudo tee /etc/apt/sources.list.d/charm.list
sudo apt update && sudo apt install soft-serve

mkdir -p /srv/soft-serve
SOFT_SERVE_DATA_PATH=/srv/soft-serve soft serve

During this initial run of soft serve, soft binds to port 23231 for SSH.

# Edit config.yaml so SSH binds to :22
vim /srv/soft-serve/config.yaml

# Edit the systemd unit to apply my data path (see below):
systemctl edit soft-serve
systemctl daemon-reload

# Change ownership of data and start soft-serve:
chown -R soft-serve: /srv/soft-serve
systemctl start soft-serve

Systemd edit:

[Service]
Environment=SOFT_SERVE_DATA_PATH=/srv/soft-serve

At this point, soft-serve has started successfully.
However, soft has not bound to ports 22 or 80:
(Checked with ss -nltpu).
There is no mention of anything wrong in the systemd journal, it simply says it's starting the SSH and HTTP server:

Feb 09 14:18:22 git-test soft[1747]: 2025-02-09 14:18:22 server: Starting SSH server addr=:22
Feb 09 14:18:22 git-test soft[1747]: 2025-02-09 14:18:22 server: Starting Git daemon addr=:9418
Feb 09 14:18:22 git-test soft[1747]: 2025-02-09 14:18:22 server: Starting HTTP server addr=:80

I ran sudo -u soft-serve SOFT_SERVE_DATA_PATH=/srv/soft-serve strace -f soft serve, and found this in the strace output, suggesting soft does not have permission to bind, which would make sense for an unprivileged user:

7952  bind(9, {sa_family=AF_INET6, sin6_port=htons(22), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::", &sin6_addr), sin6_scope_id=0}, 28 <unfinished ...>
7949  futex(0xc0000a1648, FUTEX_WAIT_PRIVATE, 0, NULL <unfinished ...>
7952  <... bind resumed>)               = -1 EACCES (Permission denied)

Expected behavior
soft serve to exit with an error after being unable to bind to the ports specified in the configuration.

Workaround
The following workaround will enable binding to privileged ports:

systemctl edit soft-serve

[Service]
Environment=SOFT_SERVE_DATA_PATH=/srv/soft-serve
User=root
Group=root
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
PrivateUsers=false
ProtectSystem=false
ProtectHome=false
SystemCallFilter=@known

Environment (please complete the following information):

• OS: Debian 12 (tested on an Incus Virtual Machine [QEMU], and an Incus container)
• Version soft version v0.8.2 (22d00e9)

[aymanbagabas]

Thank you for the thorough bug report. This is likely due to context not being canceled properly here. It might take us some time to prioritize this one, but if this issue is of your interest, please feel free to send a patch 🙂