How to get Oracle java 7 to work with setcap cap_net_bind_service+ep

Solution 1

Until you asked the question I never even heard of this facility in Unix (file capabilities). I found this link which looks to have the solution as to how to make ld.so trust your shared libraries:

• JDK-7157699 : can not run java after granting posix capabilities

excerpt from that post

When one is raising the privileges of an executable, the runtime loader (rtld), better know as ld.so will not link with libraries in untrusted paths. This is the way the ld.so(1) has been designed. If one needs to run such an executable, then you have to add that path to the trusted paths of ld.so, the following describes how to do so:

Fedora 11:
% uname -a
Linux localhost.localdomain 2.6.29.4-167.fc11.i686.PAE #1 SMP Wed May 27 17:28:22 EDT 2009 i686 i686 i386 GNU/Linux

% sudo setcap cap_net_raw+epi ./jdk1.7.0_04/bin/java

% ./jdk1.7.0_04/bin/java -version
./jdk1.7.0_04/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory

Its kaput, Ok we are on the same page now, to fix this, create a file such as > this, with the path to libjli.so

% cat /etc/ld.so.conf.d/java.conf
/home/someuser/jdk1.7.0_04/jre/lib/i386/jli

This will add the the pathname to the trusted user path, that ld.so will use, to build its runtime cache, verify if ld.so is seeing it by doing this, need to run it as root, and a reboot may be necessary.

% ldconfig | grep libjli
libjli.so -> libjli.so
.......

Now test java:

% ./jdk1.7.0_04/bin/java -version
java version "1.7.0_04-ea"
Java(TM) SE Runtime Environment (build 1.7.0_04-ea-b18)

and there you have it.....

References

• POSIX file capabilities: Parceling the power of root
• This is the Linux kernel capabilities FAQ
• capabilities man page
• Capability-based security - wikipedia
• Using File Capabilities Instead Of Setuid

Solution 2

Just to show the full process to enable Java listenign at port 80 (or any port below 1024):

• For a JAVA_HOME:

  $> export JAVA_HOME=/usr/local/java/graalvm-ce-java8-20.2.0
  

• You should enable the capability to the java binary:

  $> sudo /sbin/setcap 'cap_net_bind_service=ep' /usr/local/java/graalvm-ce-java8-20.2.0/bin/java
  

• After that you will start to get some error when running java:

  $> java -version
  ./bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory
  

• To fix that you should update ldconfig. Just create a java.conf file:

  $> cat /etc/ld.so.conf.d/java.conf 
  /usr/local/java/graalvm-ce-java8-20.2.0/lib/amd64/jli
  /usr/local/java/graalvm-ce-java8-20.2.0/jre/lib/amd64/jli
  
  $> java -version
  

• Now java works:

  $> java -version
  openjdk version "1.8.0_262"
  ...
  

Related videos on Youtube

16 : 22

How to upgrade JDK in Oracle Database 11.2.0.4.0 #jdk #oracle

ORACLE APPS DBA

249

02 : 42

Unix & Linux: How to get Oracle java 7 to work with setcap cap_net_bind_service+ep?

Roel Van de Paar

17

04 : 24

How to Install JDK 8 (Java 8) In Linux

Pramuda Liyanage

10

07 : 08

Cara install oracle java 7 GNU:Linux Ubuntu1604 Indonesia

Channel Blog & Tech Indonesia

8

03 : 10

How to Connect Java Application to Oracle Database Server

BoostMyTool

3

Author by

ams

I love software development.

Updated on September 18, 2022