Linux provides capabilities used to grant specific commands the ability to do things that are normally reserved for a root account. Instead of granting the ability to a specific user, capabilities are granted to a specific command.
It might be convenient to enable the server to listen on privileged ports while running as a non-root user.
setcap command assigns capabilities to an application. The
cap_net_bind_ service capability enables a service to bind a socket
to privileged ports (port numbers less than 1024). If Java is installed in
/ds/java (and the Java command to run the server is
/ds/java/bin/java), the Java binary can be granted the
cap_net_bind_service capability with the following command.
$ sudo setcap cap_net_bind_service=+eip /ds/java/bin/java
The Java binary needs an additional shared library, such as
as part of the Java installation. More strict limitations are imposed on where the
operating system will look for shared libraries to load for commands that have
capabilities assigned. So it is also necessary to tell the operating system where to
look for this library. This can be done by creating the file
/etc/ld.so.conf.d/libjli.conf with the path to the directory
that contains the
libjli.so file. For example, if the Java installation
is in /ds/java, the contents of that file should be as follows.
Run the following command for the change to take effect.
$ sudo ldconfig -v