I think these days I would approach the problem by creating per-user network namespaces and hack the privileged port limitation away from kernel (is there a sysctl for that/why not?)
- Then, as of kernel version 4.11, you can set where the non-privileged ports start, like "sysctl net.ipv4.ip_unprivileged_port_start=0" Somewhat helpful in that you could have them start above things like sshd (22), but below port 80. Still not great for multi-tenant, etc, though.
