Server Fault Asked by Dylan Klomparens on November 24, 2021
I’m trying to use Linux Capabilities to allow a program (httpd) to bind to a privileged port (443) as a non-privileged user.
I set the capabilities for the program using this command:
setcap CAP_NET_BIND_SERVICE+eip httpd
Then I verified that the capability was successfully set with…
getcap httpd
which prints…
httpd = cap_net_bind_service+eip
When I attempt to start the program, it exits because it cannot bind to the required port. I discovered this using strace:
strace -f httpd reveals “permission denied, can’t bind, shutting down”:
...
write(2, "(13)Permission denied: AH00072: "..., 85(13)Permission denied: AH00072: make_sock: could not bind to address [redacted X.X.X.X]:443) = 85
close(3) = 0
write(2, "no listening sockets available, "..., 46no listening sockets available, shutting down
...
What should I do to make Linux Capabilities work correctly and allow the program to bind to a privileged port?
A quick search suggests that a mount with the nosuid flag can prevent Capabilities from functioning, and I verified that it’s not interfering in this case.
You need to set the capabilities to the absolute path of httpd app.
setcap CAP_NET_BIND_SERVICE+eip <path/to/executable>
Example: Here I will be using java, which tomcat uses to run our application.
java location:
/opt/java/bin/java
Setting capabilities:
setcap CAP_NET_BIND_SERVICE+eip /opt/java/bin/java
Answered by Bharath on November 24, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP