How to bind to ports below 1024 without being root on Linux?

On a Linux system there are many actions and features, collectively called capabilities, that are accessible only to the root or privileged user. If you or the executable you wish to run, does not have the authorisation to run as root then there is no way for you or your application to access these features. An example of such as restriction is trying to bind to a port below 1024 or to try and run tcpdump without being root.

Linux Capabilities to the Rescue

Thankfully there is a solution to this problem that is supported by kernel versions 2.2.11 and up. Linux capabilities are all those operations, or actions, which require root access to perform and can now be granted individually to executables to access without the user who started or who own those applications having to be root.

For example granting an executable CAP_NET_BIND_SERVICE capabilities allows the exectuable to bind on ports 1023 and below without running under root. The capability CAP_KILL allows for the bypassing of permissions checks for sending kill signals for executables which have this permission.

Linux Command of the Week

"setcap" - set Linux capabilities on a file. Useful for giving executables permissions to capabilities that are normally restricted to the root user; like binding to a port below port 1024 without the need to run as root. Or to give wireshark permissions to capture packets without needing to be run as root.

The example below allows java services to connect below port 1024 without being root.

setcap cap_net_bind_service=+ep /usr/lib/jvm/java-7-oracle/jre/bin/java

See "man setcap" for more info.