fix: improve error message when binding to privileged ports (fixes apple#978) (apple#1031)

Ronitsabhaya75 · web-flow · commit 4af1cc01c4b7 · 2026-01-08T19:27:43.000-08:00
- The container fails to start with a generic "permission denied"
  error when attempting to publish privileged ports (ports below
  1024) without root privileges. This provides a confusing user
  experience as the error doesn't explain why permission was
  denied.
diff --git a/Sources/Services/ContainerSandboxService/Server/SandboxService.swift b/Sources/Services/ContainerSandboxService/Server/SandboxService.swift
@@ -748,7 +748,17 @@ public actor SandboxService {
                                 log: self.log
                             )
                         }
-                        return try await forwarder.run().get()
+                        do {
+                            return try await forwarder.run().get()
+                        } catch let error as IOError where error.errnoCode == EACCES {
+                            if let port = proxyAddress.port, port < 1024 {
+                                throw ContainerizationError(
+                                    .invalidArgument,
+                                    message: "Permission denied while binding to host port \(port). Binding to ports below 1024 requires root privileges."
+                                )
+                            }
+                            throw error
+                        }
                     }
                 }
             }
diff --git a/Tests/CLITests/Subcommands/Run/TestCLIRunCommand.swift b/Tests/CLITests/Subcommands/Run/TestCLIRunCommand.swift
@@ -712,4 +712,29 @@ class TestCLIRunCommand: CLITest {
 
         return trimmedOutput
     }
+
+    @Test func testPrivilegedPortError() throws {
+        try #require(geteuid() != 0)
+
+        let name = getTestName()
+        let privilegedPort = 80
+        let (_, _, error, status) = try run(arguments: [
+            "run",
+            "--name", name,
+            "--publish", "127.0.0.1:\(privilegedPort):80",
+            alpine,
+        ])
+        defer {
+            try? doRemove(name: name, force: true)
+        }
+        #expect(status != 0, "Command should have failed")
+        #expect(
+            error.contains("Permission denied while binding to host port \(privilegedPort)"),
+            "Error message should mention permission denied for the port. Got: \(error)"
+        )
+        #expect(
+            error.contains("root privileges"),
+            "Error message should mention root privileges requirement. Got: \(error)"
+        )
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -748,7 +748,17 @@ public actor SandboxService {`
`748`	`748`	`log: self.log`
`749`	`749`	`)`
`750`	`750`	`}`
`751`		`- return try await forwarder.run().get()`
	`751`	`+ do {`
	`752`	`+ return try await forwarder.run().get()`
	`753`	`+ } catch let error as IOError where error.errnoCode == EACCES {`
	`754`	`+ if let port = proxyAddress.port, port < 1024 {`
	`755`	`+ throw ContainerizationError(`
	`756`	`+ .invalidArgument,`
	`757`	`+ message: "Permission denied while binding to host port \(port). Binding to ports below 1024 requires root privileges."`
	`758`	`+ )`
	`759`	`+ }`
	`760`	`+ throw error`
	`761`	`+ }`
`752`	`762`	`}`
`753`	`763`	`}`
`754`	`764`	`}`