I have a Java application that needs to be able to listen on
low-numberd ports (below 1024). In OS X how does one elevate the
privileges of a running Java application so that it can bind to
low-numbered ports and then drop the privileges after the binds are
done but still continue to listen on the sockets?
What do you mean by "you don't"? Do you mean it's not possible or
do you mean it's not a good idea?
If it's not possible then how do people write Java applications
that listen on low-numbered ports?
And if it's not possible then how can one work around that
limitation to make it possible?
Its possible and the way I do it, it is not a good idea. :-P I run
Tomcat listening on port 80 for testing purposes by logging in to
an administrative account and using sudo to start up Tomcat. The
problem with this is that Tomcat runs with Administrative
privileges and this makes the system vulnerable to devastating
attacks. Ideally what you'd want to do is start the process with
root privileges and once the port is bound revert the privileges
to only those required by your application. Unfortunately, there
is no way to this from either the command line or in Java. You
might like to take a look at jsvc
http://jakarta.apache.org/commons/daemon/jsvc.html . I have not
used this on macs yet but I have used on Linux successfully.
One more quick question for you:
Would it be possible to do this in Java indirectly by having a C
routine that can elevate the privileges?
I was thinking write a small .dylib, then a JNI stub, then the Java
app that would link to all of those. The Java app could call
through the JNI library to the C code and the C code could then
elevate the process's privileges temporarily to bind and then drop
back down. Since all the libs would be linked to the parent Java
process, the C code could just elevate the privileges of whatever
app called it. Would this work?
Unfortunately, this isn't an area of my expertise. I don't think its
possible to elevate the process' privileges beyond those of the user
who initiates the process. If it is possible then, sure, it can be
Its been my experience that user apps are usually clients and don't
need to bind to a privileged port. What is that you are trying to do
that requires the user to run a server bound to a privileged port?
Maybe with a bit more information, I can help a more.
glen at hard-bop.com
I'm not trying to run a server. This is for some client software
written in Java which runs on OS X. It talks to a back-end
proprietary box made by the company I work for. The Java app has to
start up, bind to a socket, and then listen on low-numbered ports on
which the appliance is sending data. The Java code is already there
and working on other platforms but it doesn't work on OS X because of
the permissions problem.
My idea was to elevate the privileges of the Java app before it does
the bind, then lower them once it is connected. If it were C/C++ code
it would be no problem as I can write a helper tool to return file
descriptors representing the low-numbered ports. But the problem is
the Java code already exists and is shipping. I don't have the option
of not using the Java code.
Maybe someone who knows a bit more than I about UNIX security would
know how to manipulate a process's privileges.
Orbital Launch & Lift, Inc.
Do not post admin requests to the list. They will be ignored.
Java-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden