Listening on privileged ports -- is root the only option?

I have a snap that would like to listen on port 80. In the past we’ve used authbind to allow this with an otherwise unprivileged user.

I’ve examined the code for network_bind.go and I don’t see anything that indicates port permissioning. When I run my snap as root and network-bind interface linked up, it allows me to listen on 80, but I’d really hate to be running our entire app as root (!) just for this one port.

Are there any other techniques or options for doing this?

Not at the moment, though there is a roadmapped item here: Multiple users and groups in snaps (this falls under the ‘Opt-in per-snap users/groups’ use case).

Do note that the sandbox is root-strong for strict mode snaps and root in a snap is not at all the same as root outside of the snap (not to say that privilege dropping isn’t desirable within a snap of course!).