Capabilities & Linux & Java

Question

I am experimenting with Linux capabilities for java application. I do not want to add capabilities to interpreter (JVM), so I tried to write a simple wrapper (with debugging information printed to stdout):

#include <stdio.h>
#include <stdlib.h>
#include <sys/capability.h>
#include <unistd.h>

int main(int argc, char *argv[]){
        cap_t cap = cap_get_proc();

        if (!cap) {
                perror("cap_get_proc");
                exit(1);
        }
        printf("%s: running with caps %s\n", argv[0], cap_to_text(cap, NULL));

        return execlp("/usr/bin/java", "-server", "-jar", "project.jar", (char *)NULL);
}

This way, I can see that the capability is set for this executable:

./runner: running with caps = cap_net_bind_service+p

And getcap shows

runner = cap_net_bind_service+ip

I have the capability set to be inheritable, so there should be no problem. However, java still doesn't want to bind to privileged ports.

I am getting this error:

sun/nio/ch/Net.java:-2:in `bind': java.net.SocketException: Permission denied (NativeException)

Can someone help me to resolve this?

Answer 1

尝试使用1024以上的端口，或以root身份运行。

Answer 2

Any update?

You may find some answers in the Apache Commons-Daemon jsvc project: "...set of libraries and applications for making Java applications run on UNIX more easily."

• Project: http://commons.apache.org/proper/commons-daemon/jsvc.html
• Source: http://svn.apache.org/viewvc/commons/proper/daemon/trunk/src/native/unix/native/jsvc-unix.c?view=markup

They uses capabilities, even if they don't allow the user to select which one to apply, for portability reasons I suppose.