Skip to content

HOWTO make java listen to priviledged ports

Why do that

Receive logs in TCP or Lumberjack in port less than 1024

Note

Enabling priviledged ports is discouraged. You must be aware that this scheme enables any Java application in your system to listen so, which may constitute potential security vulnerability (e.g. protocol spoofing). Still it\'s far better than running an instance of Java as root.

Prerequisites

  • A working configuration of a topology (e.g. tested with another port.)
  • A version of Linux Kernel that enables this behavior: no specific hardening on this part, no GRSecurity. Ask your sysadmin for more details about blocking NET_CAPABILITIES.

What to do

1 . Check that the port is not yet taken (for instance the targeted port is 55 here.)

1
$ sudo ss -tnlp | grep 55

2 . Check also the path of your Java application

1
2
3
4
$ ls -l /usr/bin/java
lrwxrwxrwx 1 root root 22 oct.   3  2016 /usr/bin/java ->/etc/alternatives/java
$ ls -l /etc/alternatives/java
lrwxrwxrwx 1 root root 46 oct.   3  2016 /etc/alternatives/java ->/usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java

3 . Set the capability on Java:

1
$ sudo setcap cap_net_bind_service=+ep /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java 

4 . Restart your channel and check.

1
2
3
4
5
6
$ punchplatform-channel.sh --start mytenant/websense_web_security
mytenant/websense_web_security/main/single_topology.json ............................................ ACTIVE
[cpu load: 1,18 ......]
mytenant/websense_web_security ...................................................................... ACTIVE
$ sudo ss -tnlp | grep 55
LISTEN     0      128         :::55 :::*                   users:(("java",pid=30140,fd=200))