users@glassfish.java.net

Re: Using capabilities to bind non-root Glassfish to port 80 on Debian/Ubuntu

From: <glassfish_at_javadesktop.org>
Date: Sun, 21 Mar 2010 21:55:17 PDT

When capabilities are set and the user is not root, the linux kernel uses secure execution. When secure execution is used, the elf token $ORIGIN is not expanded, nor are environment variables used relevant to to dynamic linking. The java executable uses that particular dynamic linking token, so it cannot find the shared libraries.

I haven't yet tried it out, but a reasonable approach seem to be to run the server as root and reduce the capabilities of root down to minimum necessary. It's not as appealing as running under a non-root user, but with an appropriate use of secure bits seems to be safe. If anyone has any additional information on the security or feasibility of this approach, I would like to hear it.
[Message sent by forum member 'chriskhan']

http://forums.java.net/jive/thread.jspa?messageID=393052