[knot-resolver-users] Running systemd service and binding to privileged ports

Hello knot-resolver users, I have a question about design of systemd service for knot-resolver. I installed knot from repository OpenSuse repository <https://software.opensuse.org//download.html?project=home%3ACZ-NIC%3Aknot-resolver-latest&package=knot-resolver> on Ubuntu 16 and 18. The systemd service uses user *knot-resolver*. But this user cannot bind to unprivileged ports, so when I have configuration like below where I bind to network interface on privileged port and change user context, it fails with "*[system] bind to '10.20.30.118@853' Permission denied*": ``` net.listen({'10.20.30.118'}, 853, { tls = true }) user('knot-resolver', 'knot-resolver') ``` To fix this I changed User *knot-resolver* to *root* in systemd service. Now service starts to run as root, binds to network interface and then changes context. My question is, is this solution security wise fine? Why is the systemd service designed to run as user knot-resolver, when I guess many people will need to override this in order to use knot-resolver properly? What is the main idea? Or is there a different approach to overcome this (Such as linux capabilities)? Thank you for responses and please correct me in anything if I am wrong. Ondrej Vaško