Although POSIX has a standard for capabilities which I think includes CAP_NET_BIND_SERVICE, these are not required for conformance and may in some ways be incompatible with the implementation on, e.g., linux.
Since webservers like apache are not written for only one platform, using root privileges is the most portable method. I suppose it could do this specifically on linux and BSD (or wherever support is detected), but this would mean the behaviour would vary from platform to platform, etc.
It seems to me you could configure your system so that any web server could be used this way; there are some (perhaps clumsy) suggestions about this WRT apache here: NonRootPortBinding.
So why are they traditionally being started as root when afterwards everything is done to get rid of implied security issues that come with it?
They're started as root because they usually need to access a privileged port, and traditionally this was the only way to do it. The reason they downgrade afterward is because they do not need privileges subsequently, and to limit the damage potential introduced by the myriad of third party add-on software commonly used by the server.
This is not unreasonable, since the privileged activity is very limited, and by convention many other system daemons run root continuously, including other inet daemons (e.g., sshd
).
Keep in mind that if the server were packaged so that it could be run as an unprivileged user with CAP_NET_BIND_SERVICE, this would allow any non-privileged user to start HTTP(S) service, which is perhaps a greater risk.
I think setcap
will be your answer. I think the real question here is: How will my system recognize when the webserver on the NFS has been touched so it can run a setcap
command on it?
I think you'll want to set up an inotify
or systemd.path
to monitor this webserver. When that binary gets replaced, you'll detect it and trigger the setcap
command that works for you. This works especially well if your webserver runs via systemd already.
Here's an example with systemd.path
assuming your server runs as systemd service webserver.service
# /etc/systemd/system/webcap.path
[Unit]
Description=Watching changes in the webserver binary
# Start monitoring only after the webserver is running.
After=webserver.service
[Path]
# Whenever someone writes to this path (binary is replaced), do something
PathModified=/path/to/webserver
# This is the service you launch when the above condition is met
Unit=webcap.service
[Install]
#Whenever the webserver is started, this monitor will also start
WantedBy=webserver.service
# /etc/systemd/system/webcap.service
[Unit]
Description=Update caps of webserver
[Service]
Type=oneshot
ExecStart=ssetcap cap_net_bind_service=ep /path/to/webserver
Best Answer
Do you have access to iptables, I vaguely remember that the Synology NAS boxes do? If so you can put a redirect in with this:-
Line 1 adds an opening to port 53 Line 2 adds an opening to port 7000 which is what you should set your java app to use Line 3 adds a redirect that any traffic inbound on port 53 gets directed to port 7000.