Linux systems have a mechanism called capabilities that is used to grant
specific commands the ability to do things that are normally only allowed
for a root account. It may be convenient to
enable the server to listen on privileged ports while running as a non-root user.
command is used to assign capabilities to an application.
capability enables a service to bind a socket to privileged
ports (port numbers less than 1024). If Java is installed in /ds/java
the Java command to run the server is /ds/java/bin/java
), the Java binary can be
granted the cap_net_bind_service
capability with the following command:
$ sudo setcap cap_net_bind_service=+eip /ds/java/bin/java
The java binary needs an additional shared library (libjli.so
as part of the Java installation. More strict limitations are imposed on where the operating system
will look for shared libraries to load for commands that have capabilities assigned.
So it is also necessary to tell the operating system where to look for this library. This can
be done by creating the file /etc/ld.so.conf.d/libjli.conf
with the path to the directory
that contains the libjli.so
file. For example, if the Java installation
is in /ds/java
, the contents of that file should be:
Run the following command for the change to take effect:
$ sudo ldconfig -v