6

I am experimenting with Linux capabilities for java application. I do not want to add capabilities to interpreter (JVM), so I tried to write a simple wrapper (with debugging information printed to stdout):

#include <stdio.h>
#include <stdlib.h>
#include <sys/capability.h>
#include <unistd.h>

int main(int argc, char *argv[]){
        cap_t cap = cap_get_proc();

        if (!cap) {
                perror("cap_get_proc");
                exit(1);
        }
        printf("%s: running with caps %s\n", argv[0], cap_to_text(cap, NULL));

        return execlp("/usr/bin/java", "-server", "-jar", "project.jar", (char *)NULL);
}

This way, I can see that the capability is set for this executable:

./runner: running with caps = cap_net_bind_service+p

And getcap shows

runner = cap_net_bind_service+ip

I have the capability set to be inheritable, so there should be no problem. However, java still doesn't want to bind to privileged ports.

I am getting this error:

sun/nio/ch/Net.java:-2:in `bind': java.net.SocketException: Permission denied (NativeException)

Can someone help me to resolve this?

tomix86
  • 1,336
  • 2
  • 18
  • 29
Marek Jelen
  • 794
  • 6
  • 7
  • "java still don't want to bind to privileged ports": What error message do you get? It's possible that your JRE implementation does its own (wrong) check for `uid==0` before it attempts to bind to a privileged port. – Joachim Sauer Jun 14 '10 at 11:40

2 Answers2

1

Try using a port above 1024, or run as root.

Paul Jackson
  • 2,077
  • 2
  • 19
  • 29
0

Any update?

You may find some answers in the Apache Commons-Daemon jsvc project: "...set of libraries and applications for making Java applications run on UNIX more easily."

They uses capabilities, even if they don't allow the user to select which one to apply, for portability reasons I suppose.

BrnVrn
  • 80
  • 7