Hi All,
I am using jsvc to daemonize my java application, which runs on a
Linux box. I get an error java.net.BindException: Permission denied. I get this
only for ports < 1024 and I understand on linux to bind to any ports which are
below 1024, you require root permission. Therefore I am launching my
application as root. However I still am not able to get the privileges
required. My JSVC arguments are as follows.
jsvc.exec -debug -Xdebug -Xnoagent -Djava.compiler=NONE
-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8008 -jvm server -user
root -home $JAVA_HOME
-outfile /var/opt/myfile.out -pidfile /var/run/myfile.pid -errfile '&1'
I am launching as root user and also in jsvc arguments I have
specified "-user root", but am at a loss as to why I am still getting this
exception, when I launch my jetty server. When I tried to launch it normally
outside jsvc, it works fine. I have searched on the net, and also came across
this message thread
http://markmail.org/message/3mw6r2dievxvviu3#query:jsvc%20java.net.BindException%3A%20Permission%20denied+page:1+mid:j2w4dpzp4aaypun6+state:results
where it suggested, that some system call had been modified and it worked
thereafter, but did not find the details.
Have run strace, but could not find any errors.
On starting in debug mode, I see the following messages,
10/12/2008 18:55:30 6349 jsvc debug: user changed to 'root'
10/12/2008 18:55:30 6348 jsvc debug: User 'root' validated
and I also don't see any errors.
I was able to get past this problem, but this required me to modify jsvc
source code and recompile and build. The problem is that in native/jsvc-unix.c
before starting the service, the capability CAP_NET_BIND_SERVICE is being
disabled for the controlled process, due to which my process is not able to
bind to privileged ports 0 to 1024. To quote from the code,
#ifdef OS_LINUX
if (set_caps(0)!=0)
log_debug("set_caps (0) failed");
return(4);
#else
I had to comment out this part and rebuild jsvc in order to ensure that
my process is able to bind to privileged ports. I was wondering if there is any
runtime option for jsvc to allow binding to privileged ports, but could not
find any. As part of our project, we run our daemon with root user privileges
and also require to be flexible to allow the user to specify any ports he
wishes to. Since the project is newly supporting linux platforms it is turning
out to be a blocker. We are left with the option of repackaging jsvc with the
change. I understand that we do not want to allow non-root users to bind to
privileged ports, but on linux devices if the controlled process is being run
as superuser / root, can we do away with set_caps(0), like say.
#ifdef OS_LINUX
if(jsvc_user != SUPER_USER)
if (set_caps(0)!=0)
log_debug("set_caps (0) failed");
return(4);
Please let me know if anyone on the list is aware of any other option. Also it
would also be beneficial if i could know what the security issues are with
making this change. From the commons user list, I came to know that there was a
bug raised for the same. https://issues.apache.org/jira/browse/DAEMON-12 but
could not find a resolution in that.
Thanks,
Srijith.
