2

I want to run an ICMP command to ping an IP Adress at Java:

InetAddress.getByAddress("XXX.XXX.XXX.XXX".getBytes()).isReachable(1000);

However there is a security restriction that:

Normal users are allowed to create raw sockets.

So I can not run it. I don't want to run my application as root. So, which privileges should I assign to the user that runs my application for CAP_NET_RAW capability?

kamaci
  • 153
  • From this it sounds like you have to setuid on the executable (and the executable must be owned by root) so it can either create the socket or setpcap on itself at runtime (I think CAP_NET_RAW applies to processes, not executables). Unfortunately, I'm not sure about the possibilities for a java program this way, since they're not strictly executables. – goldilocks Nov 19 '14 at 14:11
  • @goldilocks could you write it as answer? – kamaci Nov 20 '14 at 08:42
  • No, because I think I am wrong about CAP_NET_RAW not being being applicable to executables. However, it looks like WRT java you would have to set that on the runtime engine (java) itself, and there are some major PITA issues that come along with that if you are using, e.g., an Oracle install with libs outside of standard places like /usr/lib. See here: http://unix.stackexchange.com/questions/87978/how-to-get-oracle-java-7-to-work-with-setcap-cap-net-bind-serviceep – goldilocks Nov 20 '14 at 13:24

1 Answers1

0

As mentioned in the comment to your answer, you have to set the capability to the Java executable. Here is a working example:

sudo setcap cap_net_raw+epi /usr/lib/jvm/jdk-19/bin/java

(replace path with path to your Java executable)

simon
  • 289