2

I want to run an ICMP command to ping an IP Adress at Java:

InetAddress.getByAddress("XXX.XXX.XXX.XXX".getBytes()).isReachable(1000);

However there is a security restriction that:

Normal users are allowed to create raw sockets.

So I can not run it. I don't want to run my application as root. So, which privileges should I assign to the user that runs my application for CAP_NET_RAW capability?

kamaci
  • 153
  • 1
  • 6
  • **[From this](http://stackoverflow.com/questions/9772068/raw-socket-access-as-normal-user-on-linux-2-4)** it sounds like you have to **[setuid on the executable](http://unix.stackexchange.com/questions/166817/using-the-setuid-bit-properly)** (and the executable must be owned by root) so it can either create the socket or setpcap on itself at runtime (I think CAP_NET_RAW applies to processes, not executables). Unfortunately, I'm not sure about the possibilities for a java program this way, since they're not strictly executables. – goldilocks Nov 19 '14 at 14:11
  • @goldilocks could you write it as answer? – kamaci Nov 20 '14 at 08:42
  • No, because I think I am wrong about CAP_NET_RAW not being being applicable to executables. However, it looks like WRT java you would have to set that on the runtime engine (`java`) itself, and there are some major PITA issues that come along with that if you are using, e.g., an Oracle install with libs outside of standard places like `/usr/lib`. See here: http://unix.stackexchange.com/questions/87978/how-to-get-oracle-java-7-to-work-with-setcap-cap-net-bind-serviceep – goldilocks Nov 20 '14 at 13:24

1 Answers1

0

As mentioned in the comment to your answer, you have to set the capability to the Java executable. Here is a working example:

sudo setcap cap_net_raw+epi /usr/lib/jvm/jdk-19/bin/java

(replace path with path to your Java executable)

simon
  • 289
  • 3
  • 10