On 11/28/06, Shachar Shemesh <[EMAIL PROTECTED]> wrote:
Nadav Har'El wrote: > So basically, I want to tell linux to allow this process (or any process, > for that manner) to bind any port. I tried using "capabilities", but didn't > get it to work (does anyone know if this feature still exists in modern > kernels??), It's supposed to be a part of SELinux, so that needs to be enabled in order for capabilities to work. I have never had an occasion to use it, so I don't know the specifics, but it should still be around, and it does sound like what you are looking for.
Just to set the facts straight, "capabilities" are not part of SELinux. "Capabilities" are an earlier (Linux 2.2) attempt at breaking down superuser privileges into distinctive super-powers. SELinux is a different shot at this, one which's not derived from "capabilities", so it should not be brought into this discussion. Compared to SELinux, capabilities are rather coarse, but CAP_NET_BIND_SERVICE is just what you need. You might be able to leave some chosen capability with a non-root process by: 1. Starting as a root process. 2. Eliminating all but the needed capabilities with capset(2) (or whatever higher-level function there is -- they're undocumented on my system) 3. Making the system keep capabilities upon seteuid by calling prctl(2) with PR_SET_KEEPCAPS. 4. seteuid(2) and exec(3) your Java thing. I didn't actually try it, but it makes sense from the docs. ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
