Linux systems provide capabilities that grant specific commands the ability to complete tasks that are normally permitted only by a root account. Instead of granting an ability to a specific user, capabilities are granted to a specific command. For convenience, you might enable the server to listen on privileged ports while running as a non-root user.

  • To assign capabilities to an application, run the setcap command.
    For example, the cap_net_bind_service capability enables a service to bind a socket to privileged ports, which are defined as ports with numbers less than 1024. If Java is installed in /ds/java, and if the Java command to run the server is /ds/java/bin/java, then you can grant the Java binary the cap_net_bind_service capability by running the following command.
    $ sudo setcap cap_net_bind_service=+eip /ds/java/bin/java

    The Java binary requires an additional shared library, libjli.so, as part of the Java installation.

    Because additional limitations are imposed on where the operating system looks for shared libraries to load for commands with assigned capabilities, you must create the file /etc/ld.so.conf.d/libjli.conf with the path to the directory that contains the libjli.so file.

    For example, if the Java installation is located in /ds/java, the contents must be as shown in this example.
    /ds/java/lib/amd64/jli
    Run the following command for the change to take effect.
    $ sudo ldconfig -v