commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Srijith Kochunni" <ksrij...@novell.com>
Subject [commons-daemon] jsvc controlled process unable to bind to port 80
Date Thu, 18 Dec 2008 07:59:50 GMT

 Hi All, 


          I am using jsvc to daemonize my java application, which runs on a Linux box. I get
an error java.net.BindException: Permission denied. I get this only for ports < 1024 and
I understand on linux to bind to any ports which are below 1024, you require root permission.
Therefore I am launching my application as root. However I still am not able to get the privileges
required. My JSVC arguments are as follows. 


   jsvc.exec -debug -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8008
-jvm server -user root -home $JAVA_HOME 
  -outfile /var/opt/myfile.out -pidfile /var/run/myfile.pid -errfile '&1'   


          I am launching as root user and also in jsvc arguments I have specified "-user root",
but am at a loss as to why I am still getting this exception, when I launch my jetty server.
When I tried to launch it normally outside jsvc, it works fine. I have searched on the net,
and also came across this message thread http://markmail.org/message/3mw6r2dievxvviu3#query:jsvc%20java.net.BindException%3A%20Permission%20denied+page:1+mid:j2w4dpzp4aaypun6+state:results
where it suggested, that some system call had been modified and it worked thereafter, but
did not find the details. 


         Have run strace, but could not find any errors. 
On starting in debug mode,  I see the following messages, 
10/12/2008 18:55:30 6349 jsvc debug: user changed to 'root' 
10/12/2008 18:55:30 6348 jsvc debug: User 'root' validated 
and I also don't see any errors. 


       I was able to get past this problem, but this required me to modify jsvc source code
and recompile and build. The problem is that in native/jsvc-unix.c before starting the service,
the capability CAP_NET_BIND_SERVICE is being disabled for the controlled process, due to which
my process is not able to bind to privileged ports 0 to 1024. To quote from the code, 

        #ifdef OS_LINUX 
        if (set_caps(0)!=0)  
            log_debug("set_caps (0) failed"); 
             return(4); 
          
     #else 

       I had to comment out this part and rebuild jsvc in order to ensure that my process
is able to bind to privileged ports. I was wondering if there is any runtime option for jsvc
to allow binding to privileged ports, but could not find any. As part of our project, we run
our daemon with root user privileges and also require to be flexible to allow the user to
specify any ports he wishes to. Since the project is newly supporting linux platforms it is
turning out to be a blocker. We are left with the option of repackaging jsvc with the change.
I understand that we do not want to allow non-root users to bind to privileged ports, but
on linux devices if the controlled process is being run as superuser / root, can we do away
with set_caps(0), like say. 

        
      #ifdef OS_LINUX 
        if(jsvc_user != SUPER_USER) 
                if (set_caps(0)!=0)  
                  log_debug("set_caps (0) failed"); 
             return(4); 
                  
          


Please let me know if anyone on the list is aware of any other option. Also it would also
be beneficial if i could know what the security issues are with making this change. From the
commons user list, I came to know that there was a bug raised for the same. https://issues.apache.org/jira/browse/DAEMON-12
but could not find a resolution in that. 


Thanks, 
Srijith. 

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message