Skip to content

HOWTO make java listen to priviledged ports

Why do that

Receive logs in TCP or Lumberjack in port less than 1024

Note

Enabling privileged ports is discouraged. You must be aware that this scheme enables any Java application in your system to listen so, which may constitute potential security vulnerability (e.g. protocol spoofing). Still it\'s far better than running an instance of Java as root.

Prerequisites

  • A working configuration of a topology (e.g. tested with another port.)
  • A version of Linux Kernel that enables this behavior: no specific hardening on this part, no GRSecurity. Ask your sysadmin for more details about blocking NET_CAPABILITIES.

What to do

1 . Check that the port is not yet taken (for instance the targeted port is 55 here.)

sudo ss -tnlp | grep 55

2 . Check also the path of your Java application

ls -l /usr/bin/java
lrwxrwxrwx 1 root root 22 oct.   3  2016 /usr/bin/java ->/etc/alternatives/java
ls -l /etc/alternatives/java
lrwxrwxrwx 1 root root 46 oct.   3  2016 /etc/alternatives/java ->/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java

3 . Set the capability on Java:

sudo setcap cap_net_bind_service=+ep /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java 

4 . Restart your channel and check.

channelctl start --channel websense_web_security

mytenant/websense_web_security/main/single_topology.json ............................................ ACTIVE
[cpu load: 1,18 ......]
mytenant/websense_web_security ...................................................................... ACTIVE

sudo ss -tnlp | grep 55
LISTEN     0      128         :::55 :::*                   users:(("java",pid=30140,fd=200))