Allow non-root to access restricted resources

From Michael's Information Zone
Revision as of 13:54, 9 March 2019 by Michael.mast (talk | contribs) (Created page with "==Purpose== To allow non-root users to access restricted resources. This spawned from my desire to have a docker container run nxfilter as not root. Seeing it run as root in h...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Purpose

To allow non-root users to access restricted resources. This spawned from my desire to have a docker container run nxfilter as not root. Seeing it run as root in htop, especially with recent vulnerabilities[1], made me want to figure this out.

Procedure

In this example I want to run a jvm as a non-root user.

  • Create a new group, user, and add the user to the group. In my case I set the ID to something random.[2]
groupadd -g 54628 nxfilter && useradd -u 54682 -g nxfilter nxfilter
  • Then use setcap to allow java to bind to ports under 1000 (since we want to use 53,80 and 443)[3][4][5]
setcap CAP_NET_BIND_SERVICE=+eip /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.201.b09-2.el7_6.x86_64/jre/bin/java
  • The important next step is required to get java to recognize these changes. I do not fully understand what this is (other than the symlink)[6]
find / -name 'libjli.so' -exec /usr/bin/ln -s {} /usr/lib/ \; && ldconfig