Allow non-root to access restricted resources
Revision as of 13:54, 9 March 2019 by Michael.mast (talk | contribs) (Created page with "==Purpose== To allow non-root users to access restricted resources. This spawned from my desire to have a docker container run nxfilter as not root. Seeing it run as root in h...")
Purpose
To allow non-root users to access restricted resources. This spawned from my desire to have a docker container run nxfilter as not root. Seeing it run as root in htop, especially with recent vulnerabilities[1], made me want to figure this out.
Procedure
In this example I want to run a jvm as a non-root user.
- Create a new group, user, and add the user to the group. In my case I set the ID to something random.[2]
groupadd -g 54628 nxfilter && useradd -u 54682 -g nxfilter nxfilter
- Then use setcap to allow java to bind to ports under 1000 (since we want to use 53,80 and 443)[3][4][5]
setcap CAP_NET_BIND_SERVICE=+eip /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.201.b09-2.el7_6.x86_64/jre/bin/java
- The important next step is required to get java to recognize these changes. I do not fully understand what this is (other than the symlink)[6]
find / -name 'libjli.so' -exec /usr/bin/ln -s {} /usr/lib/ \; && ldconfig
- ↑ https://medium.com/@mccode/processes-in-containers-should-not-run-as-root-2feae3f0df3b
- ↑ https://www.cyberciti.biz/faq/linux-change-user-group-uid-gid-for-all-owned-files/
- ↑ https://blogs.oracle.com/sduloutr/binding-a-server-to-privileged-port-on-linux-wo-running-as-root
- ↑ https://wiki.archlinux.org/index.php/Capabilities
- ↑ http://man7.org/linux/man-pages/man7/capabilities.7.html
- ↑ https://techblog.jeppson.org/2017/12/make-java-run-privileged-ports-centos-7/