Linux provides 'capabilities' used to grant specific commands the ability to do things that are normally reserved for a root account. Instead of granting the ability to a specific user, capabilities are granted to a specific command.
It might be convenient to enable the server to listen on privileged ports while running as a non-root user.
The setcap
command assigns capabilities to an application. The
cap_net_bind_ service
capability enables a service to bind a socket
to privileged ports (port numbers less than 1024). If Java is installed in
/ds/java (and the Java command to run the server is
/ds/java/bin/java)
, the Java binary can be granted the
cap_net_bind_service
capability with the following
command.
$ sudo setcap cap_net_bind_service=+eip /ds/java/bin/java
The
Java
binary needs an additional shared library, such as libjli.so
, as part
of the Java installation. More strict limitations are imposed on where the operating
system will look for shared libraries to load for commands that have capabilities
assigned. So it is also necessary to tell the operating system where to look for this
library. This can be done by creating the file
/etc/ld.so.conf.d/libjli.conf with the path to the directory
that contains the libjli.so
file. For example, if the Java installation
is in /ds/java, the contents of that file should
be as
follows.
/ds/java/lib/amd64/jli
Run the following command for the change to take effect.
$ sudo ldconfig -v