or do it to the binaries:

> setcap 'cap_net_bind_service=+ep' /path/to/executable

huge blog post for what is literally a one line fix

Unprivileged user accounts can't do that, so it changes nothing about the blog post.

Also only works for actual binaries, not scripts. Well, you can write a short exec wrapper I suppose.

Hm. Why doesn't it work for scripts? I thought the capabilities were stored in the filesystem?

An OS that allows shebang scripts to have setuid or capabilities ends up allowing security holes, as seen in traditional Unix variants; see http://www.faqs.org/faqs/unix-faq/faq/part4/section-7.html and https://www.in-ulm.de/~mascheck/various/shebang/#setuid

Therefore, Linux simply doesn't allow it.

Because the script is probably not what is actually opening the port. It is going to execute something else that will open the port.

sudo setcap 'cap_net_bind_service=+ep' /usr/bin/nodejs

then all users benefits from it.

How does that solve the problem? How to 100 users bind their locally-installed web server to port 80? How do you make it so that only my user can bind to only my IP?

You use network namespaces or whole solution like LXC.

Doesn't solve the problem, just shows he doesn't understand the problem.

A lot of good blog posts end up as one line fixes :-)