Start service on the privileged port as a regular user.
I will use jenkins
service as an example.
By default, jenkins
the service starts at port 8080
.
$ cat /etc/default/jenkins
[...] # port for HTTP connector (default 8080; disable with -1) HTTP_PORT=8080 [...]
Altering this value will prevent service from starting.
$ sudo tail -20 /var/log/jenkins/jenkins.log
Caused: java.io.IOException: Failed to bind to 0.0.0.0/0.0.0.0:80 at org.eclipse.jetty.server.ServerConnector.openAcceptChannel(ServerConnector.java:349) at org.eclipse.jetty.server.ServerConnector.open(ServerConnector.java:310) at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:80) at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) at org.eclipse.jetty.server.Server.doStart(Server.java:401) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) at winstone.Launcher.<init>(Launcher.java:192) Caused: java.io.IOException: Failed to start Jetty at winstone.Launcher.<init>(Launcher.java:194) at winstone.Launcher.main(Launcher.java:369) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at Main._main(Main.java:375) at Main.main(Main.java:151)
You can overcome this problem by using Linux capabilities, but this is a Java application that uses its own init script.
$ sudo systemctl status jenkins
● jenkins.service - LSB: Start Jenkins at boot time Loaded: loaded (/etc/init.d/jenkins; generated) Active: active (exited) since Tue 2021-03-30 20:22:52 UTC; 10s ago Docs: man:systemd-sysv-generator(8) Process: 7077 ExecStart=/etc/init.d/jenkins start (code=exited, status=0/SUCCESS) Mar 30 20:22:51 jenkins systemd[1]: Starting LSB: Start Jenkins at boot time... Mar 30 20:22:51 jenkins jenkins[7077]: Correct java version found Mar 30 20:22:51 jenkins jenkins[7077]: * Starting Jenkins Automation Server jenkins Mar 30 20:22:51 jenkins su[7116]: (to jenkins) root on none Mar 30 20:22:51 jenkins su[7116]: pam_unix(su-l:session): session opened for user jenkins by (uid=0) Mar 30 20:22:51 jenkins su[7116]: pam_unix(su-l:session): session closed for user jenkins Mar 30 20:22:52 jenkins jenkins[7077]: ...done. Mar 30 20:22:52 jenkins systemd[1]: Started LSB: Start Jenkins at boot time.
Stop the service if it is running at this moment.
$ sudo systemctl stop jenkins
Create a more direct service file.
$ cat <<EOF | tee /etc/systemd/system/jenkins.service [Unit] Description=Jenkins Service [Service] ExecStart=/usr/bin/java -Djava.awt.headless=true -jar /usr/share/jenkins/jenkins.war -DJENKINS_HOME=/var/lib/jenkins --webroot=/var/cache/jenkins/war --httpPort=80 User=jenkins Restart=always [Install] WantedBy=multi-user.target EOF
Create additional configuration file that will add CAP_NET_BIND_SERVICE
capability.
I am using a drop-in configuration file so that I can use it for other existing services.
$ mkdir /etc/systemd/system/jenkins.service.d
$ echo -e "[Service]\nAmbientCapabilities=CAP_NET_BIND_SERVICE" | tee /etc/systemd/system/jenkins.service.d/capabilities.conf
[Service] AmbientCapabilities=CAP_NET_BIND_SERVICE
Reload the systemd manager configuration.
$ systemctl daemon-reload
Start jenkins
service.
$ systemctl start jenkins
Inspect service status.
$ systemctl status jenkins
● jenkins.service - Jenkins Service Loaded: loaded (/etc/systemd/system/jenkins.service; disabled; vendor preset: enabled) Drop-In: /etc/systemd/system/jenkins.service.d └─capabilities.conf Active: active (running) since Tue 2021-03-30 21:58:20 UTC; 10s ago Main PID: 10545 (java) Tasks: 57 (limit: 19005) Memory: 1.7G CGroup: /system.slice/jenkins.service └─10545 /usr/bin/java -Djava.awt.headless=true -jar /usr/share/jenkins/jenkins.war -DJENKINS_HOME=/var/lib/jenkins --webroot=/var/cache/jenkins/war --httpPort=80 Mar 30 21:58:23 jenkins java[10545]: ************************************************************* Mar 30 21:58:23 jenkins java[10545]: ************************************************************* Mar 30 21:58:23 jenkins java[10545]: ************************************************************* Mar 30 21:58:23 jenkins java[10545]: Jenkins initial setup is required. An admin user has been created and a password generated. Mar 30 21:58:23 jenkins java[10545]: Please use the following password to proceed to installation: Mar 30 21:58:23 jenkins java[10545]: 249a5f9f4c659a0438294a9325d91a20 Mar 30 21:58:23 jenkins java[10545]: This may also be found at: /var/lib/jenkins/.jenkins/secrets/initialAdminPassword Mar 30 21:58:23 jenkins java[10545]: ************************************************************* Mar 30 21:58:23 jenkins java[10545]: ************************************************************* Mar 30 21:58:23 jenkins java[10545]: *************************************************************
Services like nginx
, AdGuardHome
require only the appropriate drop-in file. You can also set capability directly on an executable file in these cases, but please try to avoid such behavior.
$ sudo setcap CAP_NET_BIND_SERVICE=+ep /opt/AdGuardHome/AdGuardHome
Please read capabilities
manual page, especially the Thread capability sets
section.
$ man 7 capabilities