PingDirectory

Running as a non-root user (Linux)

You have two options to run as a non-root user but still allow connections on a privileged port.

Use a load balancer or directory proxy server

Many environments can run the server on a non-privileged port but be hidden by a hardware load balancer or LDAP directory proxy server.

Use netfilter

Use the netfilter mechanism, exposed through the iptables command, to automatically redirect any requests from a privileged port to the non-privileged port on which the server is listening.

Enabling the server to listen on privileged ports (Linux)

For your convenience, enable the server to listen on privileged ports while running as a non-root user.

About this task

Linux systems have a mechanism called capabilities that is used to grant specific commands the ability to do things that are normally only allowed for a root account:

  • The setcap command assigns capabilities to an application.

  • The cap_net_bind_service capability enables a service to bind a socket to privileged ports (port numbers less than 1024).

Steps

  1. If Java is installed in /ds/java and the Java command to run the server is /ds/java/bin/java, you can grant the cap_net_bind_service capability to the Java binary with the following command:

    $ sudo setcap cap_net_bind_service=+eip /ds/java/bin/java
  2. Create the file /etc/ld.so.conf.d/libjli.conf with the path to the directory that contains the libjli.so file.

    The Java binary needs an additional shared library (libjli.so) as part of the Java installation. Because this process imposes stricter limits on where the operating system looks for shared libraries to load for commands that have capabilities assigned, it is also necessary to tell the operating system where to look for this library.

    Example:

    For example, if the Java installation is in /ds/java, the contents of that file should be:

    /ds/java/lib/amd64/jli
  3. To apply the changes, run the following command:

    $ sudo ldconfig -v