How to run BEJY on Linux without root permission


This is not only an issue for BEJY, this works for all application including all java applications. Running server applications which open ports < 1024 is a problem for all applications under Linux and other Unixes unless they get root permission.

How is this done by others?

Most server applications are using a trick: - first start with root permission - open the ports - change the context to non-root
This seems to work (and I don't want to discuss the quality of that method), but cannot be done from 100% pure Java.

A general solution

Instead of adding native code to portable Java applications, my solution applies to the kernel security, where a modified decision gives the right to open ports < 1024 to all users of a distinct group.

Your task

  1. you have to compile your kernel by yourself
  2. install kernel and modules and verify that it works
  3. apply the patch
  4. compile and install again and boot the new kernel
  5. create a special user for BEJY
  6. move it into the special group (I use group 3, which is bin). This group must be the primary group (see /etc/passwd)
done :)

the patch

this patch applies to the method capable() in the file security/security.c:
old method:
int capable(int cap)
{
        if (security_ops->capable(current, cap)) {
                /* capability denied */
                return 0;
        }

        /* capability granted */
        current->flags |= PF_SUPERPRIV;
        return 1;
}

modified method
int capable(int cap)
{
        if (security_ops->capable(current, cap)) {

            if (cap != CAP_NET_BIND_SERVICE || current->gid != 3)
            {
                /* capability denied */
                return 0;
            }
        }

        /* capability granted */
        current->flags |= PF_SUPERPRIV;
        return 1;
}

It is easy to understand that the modification affects only the the capability to bind server ports and it only adds the group with id 3.
enjoy!