https://wiki.1701technology.com/index.php?action=history&feed=atom&title=Allow_non-root_to_access_restricted_resourcesAllow non-root to access restricted resources - Revision history2026-05-06T15:32:23ZRevision history for this page on the wikiMediaWiki 1.34.1https://wiki.1701technology.com/index.php?title=Allow_non-root_to_access_restricted_resources&diff=1073&oldid=prevMichael.mast: Created page with "==Purpose== To allow non-root users to access restricted resources. This spawned from my desire to have a docker container run nxfilter as not root. Seeing it run as root in h..."2019-03-09T18:54:17Z<p>Created page with "==Purpose== To allow non-root users to access restricted resources. This spawned from my desire to have a docker container run nxfilter as not root. Seeing it run as root in h..."</p>
<p><b>New page</b></p><div>==Purpose==<br />
To allow non-root users to access restricted resources. This spawned from my desire to have a docker container run nxfilter as not root. Seeing it run as root in htop, especially with recent vulnerabilities<ref>https://medium.com/@mccode/processes-in-containers-should-not-run-as-root-2feae3f0df3b</ref>, made me want to figure this out.<br />
==Procedure==<br />
In this example I want to run a jvm as a non-root user.<br />
*Create a new group, user, and add the user to the group. In my case I set the ID to something random.<ref>https://www.cyberciti.biz/faq/linux-change-user-group-uid-gid-for-all-owned-files/</ref><br />
<pre><br />
groupadd -g 54628 nxfilter && useradd -u 54682 -g nxfilter nxfilter<br />
</pre><br />
*Then use setcap to allow java to bind to ports under 1000 (since we want to use 53,80 and 443)<ref>https://blogs.oracle.com/sduloutr/binding-a-server-to-privileged-port-on-linux-wo-running-as-root</ref><ref>https://wiki.archlinux.org/index.php/Capabilities</ref><ref>http://man7.org/linux/man-pages/man7/capabilities.7.html</ref><br />
<pre><br />
setcap CAP_NET_BIND_SERVICE=+eip /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.201.b09-2.el7_6.x86_64/jre/bin/java<br />
</pre><br />
*The important next step is required to get java to recognize these changes. I do not fully understand what this is (other than the symlink)<ref>https://techblog.jeppson.org/2017/12/make-java-run-privileged-ports-centos-7/</ref><br />
<pre><br />
find / -name 'libjli.so' -exec /usr/bin/ln -s {} /usr/lib/ \; && ldconfig<br />
</pre><br />
<br><br />
<br></div>Michael.mast