Enabling the server to listen on privileged ports
To enable PingAuthorize Server to listen on privileged ports as a non-root user, grant capabilities to specific commands.
About this task
Linux systems provide capabilities that grant specific commands the ability to complete tasks that are normally permitted only by a root account. Instead of granting an ability to a specific user, capabilities are granted to a specific command. For convenience, you might enable the server to listen on privileged ports while running as a non-root user.
Steps
-
To assign capabilities to an application, run the
setcap
command.For example, the
cap_net_bind_service
capability enables a service to bind a socket to privileged ports, which are defined as ports with numbers less than 1024. If Java is installed in/ds/java
, and if the Java command to run the server is/ds/java/bin/java
, then you can grant the Java binary thecap_net_bind_service
capability by running the following command.$ sudo setcap cap_net_bind_service=+eip /ds/java/bin/java
The Java binary requires an additional shared library,
libjli.so
, as part of the Java installation.Because additional limitations are imposed on where the operating system looks for shared libraries to load for commands with assigned capabilities, you must create the file
/etc/ld.so.conf.d/libjli.conf
with the path to the directory that contains thelibjli.so
file.Example:
For example, if the Java installation is located in
/ds/java
, the contents must be as shown in this example./ds/java/lib/amd64/jli
Run the following command for the change to take effect.
$ sudo ldconfig -v