HOWTO make java listen to priviledged ports
Why do that¶
Receive logs in TCP or Lumberjack in port less than 1024
Note
Enabling privileged ports is discouraged. You must be aware that this scheme enables any Java application in your system to listen so, which may constitute potential security vulnerability (e.g. protocol spoofing). Still it\'s far better than running an instance of Java as root.
Prerequisites¶
- A working configuration of a topology (e.g. tested with another port.)
- A version of Linux Kernel that enables this behavior: no specific
hardening on this part, no GRSecurity. Ask your sysadmin for more
details about blocking
NET_CAPABILITIES
.
What to do¶
1 . Check that the port is not yet taken (for instance the targeted port is 55 here.)
sudo ss -tnlp | grep 55
2 . Check also the path of your Java application
ls -l /usr/bin/java
lrwxrwxrwx 1 root root 22 oct. 3 2016 /usr/bin/java ->/etc/alternatives/java
ls -l /etc/alternatives/java
lrwxrwxrwx 1 root root 46 oct. 3 2016 /etc/alternatives/java ->/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
3 . Set the capability on Java:
sudo setcap cap_net_bind_service=+ep /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
4 . Restart your channel and check.
channelctl start --channel websense_web_security
mytenant/websense_web_security/main/single_topology.json ............................................ ACTIVE
[cpu load: 1,18 ......]
mytenant/websense_web_security ...................................................................... ACTIVE
sudo ss -tnlp | grep 55
LISTEN 0 128 :::55 :::* users:(("java",pid=30140,fd=200))