Em 07-03-2013 05:11, Long Wind escreveu:
I am writing java programs
I want to bind to a socket: new DatagramSocket(95);
when running it I find only root can bind that way
Can I give user permission to bind that way?
Usually, ports below 1024 are reserved for root use (because they are
used by standard services like http, smtp, ssh etc). The linux kernel
provides "posix capability" (this is the technical name) that can be
given to a binary executable through the command setcap:
setcap cap_net_bind_service=+ep <program>
which must be run as root, evidently. This command sets up some
permissions stored in the filesystem that allow <program> to bind to
ports below 1024. Think of it as a limited form of suid bit, but giving
only bind() privileges.
However, you are not runing an executable binary, but bytecode in a
virtual machine. I suggest that you try to set those capabilities to the
java virtual machine executable. In my system, it would be
setcap cap_net_bind_service=+ep
/usr/lib/jvm/java-6-openjdk-amd64/jre/bin/java
I don't know if the java interpreter will "drop privileges" like bash
does if it is suid. It would be nice to know, though. This method has
two disadvantages
1. The bind capability is not restricted to one port.
2. Any program runing in the virtual interpreter
/usr/lib/jvm/java-6-openjdk-amd64/jre/bin/java will have the bind
priviledges.
Another way to solve this problem which does not suffer from the
drawbacks above would be to make your program to bind to an unprivileged
port, say, 9595, and, redirect to this port all the income in port 95.
This can be done with iptables, just run as root the commands:
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 95 -j REDIRECT
--to-ports 9595
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 95 -j REDIRECT
--to-ports 9595
These commands must be rerun in each reboot, so you may want to put the
in /etc/init.d/rc.local.
João Luis.
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/513866a0.7010...@nonada.if.usp.br
