Allow non-root to access restricted resources

From Michael's Information Zone
Jump to navigation Jump to search

Purpose

To allow non-root users to access restricted resources. This spawned from my desire to have a docker container run nxfilter as not root. Seeing it run as root in htop, especially with recent vulnerabilities[1], made me want to figure this out.

Procedure

In this example I want to run a jvm as a non-root user.

  • Create a new group, user, and add the user to the group. In my case I set the ID to something random.[2]
groupadd -g 54628 nxfilter && useradd -u 54682 -g nxfilter nxfilter
  • Then use setcap to allow java to bind to ports under 1000 (since we want to use 53,80 and 443)[3][4][5]
setcap CAP_NET_BIND_SERVICE=+eip /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.201.b09-2.el7_6.x86_64/jre/bin/java
  • The important next step is required to get java to recognize these changes. I do not fully understand what this is (other than the symlink)[6]
find / -name 'libjli.so' -exec /usr/bin/ln -s {} /usr/lib/ \; && ldconfig



  1. https://medium.com/@mccode/processes-in-containers-should-not-run-as-root-2feae3f0df3b
  2. https://www.cyberciti.biz/faq/linux-change-user-group-uid-gid-for-all-owned-files/
  3. https://blogs.oracle.com/sduloutr/binding-a-server-to-privileged-port-on-linux-wo-running-as-root
  4. https://wiki.archlinux.org/index.php/Capabilities
  5. http://man7.org/linux/man-pages/man7/capabilities.7.html
  6. https://techblog.jeppson.org/2017/12/make-java-run-privileged-ports-centos-7/
Retrieved from "https://wiki.1701technology.com/index.php?title=Allow_non-root_to_access_restricted_resources&oldid=1073"