Thank Assirati for such detailed help! I will try your solution tomorrow.
On Thu, Mar 7, 2013 at 6:06 PM, João Luis Meloni Assirati <assir...@nonada.if.usp.br> wrote: > Em 07-03-2013 05:11, Long Wind escreveu: > >> I am writing java programs >> I want to bind to a socket: new DatagramSocket(95); >> >> when running it I find only root can bind that way >> >> Can I give user permission to bind that way? > > > Usually, ports below 1024 are reserved for root use (because they are used > by standard services like http, smtp, ssh etc). The linux kernel provides > "posix capability" (this is the technical name) that can be given to a > binary executable through the command setcap: > > setcap cap_net_bind_service=+ep <program> > > which must be run as root, evidently. This command sets up some permissions > stored in the filesystem that allow <program> to bind to ports below 1024. > Think of it as a limited form of suid bit, but giving only bind() > privileges. > > However, you are not runing an executable binary, but bytecode in a virtual > machine. I suggest that you try to set those capabilities to the java > virtual machine executable. In my system, it would be > > setcap cap_net_bind_service=+ep > /usr/lib/jvm/java-6-openjdk-amd64/jre/bin/java > > I don't know if the java interpreter will "drop privileges" like bash does > if it is suid. It would be nice to know, though. This method has two > disadvantages > > 1. The bind capability is not restricted to one port. > 2. Any program runing in the virtual interpreter > /usr/lib/jvm/java-6-openjdk-amd64/jre/bin/java will have the bind > priviledges. > > Another way to solve this problem which does not suffer from the drawbacks > above would be to make your program to bind to an unprivileged port, say, > 9595, and, redirect to this port all the income in port 95. This can be done > with iptables, just run as root the commands: > > iptables -t nat -A PREROUTING -p tcp -m tcp --dport 95 -j REDIRECT > --to-ports 9595 > iptables -t nat -A OUTPUT -p tcp -m tcp --dport 95 -j REDIRECT --to-ports > 9595 > > These commands must be rerun in each reboot, so you may want to put the in > /etc/init.d/rc.local. > > João Luis. > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cab-gxzatpkwk8wprt6hyuhb+5-joeyewehvqd6i-3rnymuy...@mail.gmail.com
