Binding a server to privileged port on Linux w/o running as root
By Sylvain Duloutre on Feb 04, 2014
This is applicable to any service using privileged ports (< 1024), for instance to run a HTTP server on port 80 or a LDAP directory server on port 1024.
- Running the server as root is not a recommended option for security reasons.
- Using iptables to map privileged port (e.g. 389) to non-privileged port is a well-know method.
- Updating the Linux config to put 389 on the non-privileged port list is another option.
There is another option that I use frequently, based on setcap to run OUD on port 389 in my labs:
This solution requires install and modification of a java 7 JVM specifically for OUD use.
Such configuration has security implications, as anyone running that JVM has the right to bind on privileged ports (settings are JVM wide, not restricted to a specific jar file/application), so the jvm access should be restricted to the appropriate user only (the one allowed to start OUD)
Here is the procedure:
- download patchelf sources from here and compile them on target Linux.
- install setcap package on Linux if needed
- install a java 7 SDK on target system e.g. /space/java/jdk1.7.0_45
restrict access to that jvm (java and jre) to the appropriate user
only (the one used to start OUD).
Put in place additional security if needed.
- as root, run the following commands to allow java to bind as priviledged ports
setcap cap_net_bind_service=+epi <JAVA_HOME>/bin/java
setcap cap_net_bind_service=+epi <JAVA_HOME>/jre/bin/java
- - change java dynamic library loading strategy as default strategy is not compatible with setcap
patchelf --set-rpath <JAVA_HOME>/jre/lib/amd64/jli <JAVA_HOME>/jre/bin/java
patchelf --set-rpath <JAVA_HOME>/lib/amd64/jli <JAVA_HOME>/bin/java
- - Modify jvm used by oud
edit java.properties and modify property e.g default.java-home
- - start OUD with standard start-ds command.