Okay, thanks to the people who pointed out the capabilities system and CAP_NET_BIND_SERVICE capability. If you have a recent kernel, it is indeed possible to use this to start a service as non-root but bind low ports. The short answer is that you do:

Copysetcap 'cap_net_bind_service=+ep' /path/to/program

And then anytime program is executed thereafter it will have the CAP_NET_BIND_SERVICE capability. setcap is in the debian package libcap2-bin.

Now for the caveats:

  1. You will need at least a 2.6.24 kernel
  2. This won't work if your file is a script. (i.e. uses a #! line to launch an interpreter). In this case, as far I as understand, you'd have to apply the capability to the interpreter executable itself, which of course is a security nightmare, since any program using that interpreter will have the capability. I wasn't able to find any clean, easy way to work around this problem.
  3. Linux will disable LD_LIBRARY_PATH on any program that has elevated privileges like setcap or suid. So if your program uses its own .../lib/, you might have to look into another option like port forwarding.

Resources:

  • capabilities(7) man page. Read this long and hard if you're going to use capabilities in a production environment. There are some really tricky details of how capabilities are inherited across exec() calls that are detailed here.
  • setcap man page
  • "Bind ports below 1024 without root on GNU/Linux": The document that first pointed me towards setcap.

Note: RHEL first added this in v6.

Answer from Jason C on Stack Overflow
Top answer
1 of 16
533

Okay, thanks to the people who pointed out the capabilities system and CAP_NET_BIND_SERVICE capability. If you have a recent kernel, it is indeed possible to use this to start a service as non-root but bind low ports. The short answer is that you do:

Copysetcap 'cap_net_bind_service=+ep' /path/to/program

And then anytime program is executed thereafter it will have the CAP_NET_BIND_SERVICE capability. setcap is in the debian package libcap2-bin.

Now for the caveats:

  1. You will need at least a 2.6.24 kernel
  2. This won't work if your file is a script. (i.e. uses a #! line to launch an interpreter). In this case, as far I as understand, you'd have to apply the capability to the interpreter executable itself, which of course is a security nightmare, since any program using that interpreter will have the capability. I wasn't able to find any clean, easy way to work around this problem.
  3. Linux will disable LD_LIBRARY_PATH on any program that has elevated privileges like setcap or suid. So if your program uses its own .../lib/, you might have to look into another option like port forwarding.

Resources:

  • capabilities(7) man page. Read this long and hard if you're going to use capabilities in a production environment. There are some really tricky details of how capabilities are inherited across exec() calls that are detailed here.
  • setcap man page
  • "Bind ports below 1024 without root on GNU/Linux": The document that first pointed me towards setcap.

Note: RHEL first added this in v6.

2 of 16
82

You can use IPtables to redirect traffic on port 80 to another port on 127.0.0.1 (e.g. port 6666), which does not require root privileges.

Copy# Enable packet forwarding in case it's disabled.
echo 1 > /proc/sys/net/ipv4/ip_forward

# Redirect all incoming traffic on port 80 to 127.0.0.1:6666
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 127.0.0.1:6666

# Ensure the response packets are routed correctly back to the client
iptables -t nat -A POSTROUTING -p tcp --dport 6666 -d 127.0.0.1 -j SNAT --to-source 127.0.0.1

You might also want to redirect udp packets:

Copy# Redirect all incoming UDP traffic on port 80 to 127.0.0.1:6666
iptables -t nat -A PREROUTING -p udp --dport 80 -j DNAT --to-destination 127.0.0.1:6666

# Ensure the response packets are routed correctly back to the client for UDP
iptables -t nat -A POSTROUTING -p udp --dport 6666 -d 127.0.0.1 -j SNAT --to-source 127.0.0.1

Then you need to save the iptables config:

iptables-save > /etc/iptables/rules.v4

On Red Hat/CentOS systems:

service iptables save

As per 2010+, use authbind

IPv6 support has been added.

Disclaimer (update per 2021): Note that authbind works via LD_PRELOAD, which is only used if your program uses libc, which is (or might) not be the case if your program is compiled with GO/Rust, or any other compiler that avoids C. If you use go or rust, set the kernel parameter for the protected port range, see the sysctl method below </EndUpdate>

Authbind is much better than CAP_NET_BIND_SERVICE or a custom kernel.

  • CAP_NET_BIND_SERVICE grants trust to the binary but provides no control over per-port access.
  • Authbind grants trust to the user/group and provides control over per-port access, and supports both IPv4 and IPv6
  1. Install: apt-get install authbind

  2. Configure access to relevant ports, e.g. 80 and 443 for all users and groups:

    sudo touch /etc/authbind/byport/80
    sudo touch /etc/authbind/byport/443
    sudo chmod 777 /etc/authbind/byport/80
    sudo chmod 777 /etc/authbind/byport/443

  3. Execute your command via authbind
    (optionally specifying --deep or other arguments, see man authbind):

         authbind --deep /path/to/binary command line args
    
     e.g.  
    
         authbind --deep java -jar SomeServer.jar
    

If authbind doesn't cut it, because you use GO or Rust (or whatever), you can use the sysctl method.

That is, as you can see below, the kernel limited ports below 1000 to the root user. You could change that number in the kernel sources, but basically, as someone in the comments remarked, you don't want a custom kernel.

As of 2017, updating the kernel is no longer required.
You can now set the start number of the privileged ports with sysctl:

sysctl net.ipv4.ip_unprivileged_port_start=80

Or to persist:

sysctl -w net.ipv4.ip_unprivileged_port_start=80

And if that yields an error, simply edit /etc/sysctl.conf with nano and set the parameter there for persistence across reboots.

or via procfs

echo 80 | sudo tee /proc/sys/net/ipv4/ip_unprivileged_port_start

As a follow-up to Joshua's fabulous (=not recommended unless you know what you do) recommendation to hack the kernel:

I've first posted it here.

Simple. With a normal or old kernel, you don't.
As pointed out by others, iptables can forward a port.
As also pointed out by others, CAP_NET_BIND_SERVICE can also do the job.
Of course CAP_NET_BIND_SERVICE will fail if you launch your program from a script, unless you set the cap on the shell interpreter, which is pointless, you could just as well run your service as root...
e.g. for Java, you have to apply it to the JAVA JVM

Copysudo /sbin/setcap 'cap_net_bind_service=ep' /usr/lib/jvm/java-8-openjdk/jre/bin/java

Obviously, that then means any Java program can bind system ports.
Ditto for mono/.NET.

I'm also pretty sure xinetd isn't the best of ideas.
But since both methods are hacks, why not just lift the limit by lifting the restriction ?
Nobody said you have to run a normal kernel, so you can just run your own.

You just download the source for the latest kernel (or the same you currently have). Afterwards, you go to:

/usr/src/linux-<version_number>/include/net/sock.h:

There you look for this line

Copy/* Sockets 0-1023 can't be bound to unless you are superuser */
#define PROT_SOCK       1024

and change it to:

Copy#define PROT_SOCK 0

if you don't want to have an insecure ssh situation, you alter it to this:

Copy#define PROT_SOCK 24

Generally, I'd use the lowest setting that you need, e.g. 79 for http, or 24 when using SMTP on port 25.

That's already all.
Compile the kernel, and install it.
Reboot.
Finished - that stupid limit is GONE, and that also works for scripts.

Here's how you compile a kernel:

https://help.ubuntu.com/community/Kernel/Compile

Copy# You can get the kernel-source via package `linux-source`, no manual download required
apt-get install linux-source fakeroot

mkdir ~/src
cd ~/src
tar xjvf /usr/src/linux-source-<version>.tar.bz2
cd linux-source-<version>

# Apply the changes to PROT_SOCK define in /include/net/sock.h

# Copy the kernel config file you are currently using
cp -vi /boot/config-`uname -r` .config

# Install ncurses libary, if you want to run menuconfig
apt-get install libncurses5 libncurses5-dev

# Run menuconfig (optional)
make menuconfig

# Define the number of threads you wanna use when compiling (should be <number CPU cores> - 1), e.g. for quad-core
export CONCURRENCY_LEVEL=3
# Now compile the custom kernel
fakeroot make-kpkg --initrd --append-to-version=custom kernel-image kernel-headers

# And wait a long long time

cd ..

In a nutshell:

  • use iptables if you want to stay secure,
  • compile the kernel if you want to be sure this restriction never bothers you again.
Discussions

linux - How to get Oracle java 7 to work with setcap cap_net_bind_service+ep - Unix & Linux Stack Exchange
I am trying to grant the java executable the right to open ports below 1024 on Linux. Here is the setup /home/test/java contains the Oracle Server JRE 7.0.25 CentOS 6.4 Here is what getcap returns [ More on unix.stackexchange.com
🌐 unix.stackexchange.com
sudo - Allow an unprivileged user to start a webserver on port 80 - Unix & Linux Stack Exchange
setcap cap_net_bind_service=ep /path/to/the/executable (doesn't stick because the executable is recompiled remotely and stored on NFS) More on unix.stackexchange.com
🌐 unix.stackexchange.com
How to set capabilities with setcap command? - Unix & Linux Stack Exchange
I would like to set up wpa_supplicant and openvpn to run as non-root user, like the recommended setup for wireshark. I can't find any documentation for what +eip in this example means: sudo setcap More on unix.stackexchange.com
🌐 unix.stackexchange.com
September 1, 2017
Can't bind node to port 443 using setcap cap_net_bind_service
I have tried setcap 'cap_net_bind_service=+ep' /usr/bin/node I have also tried setcap 'cap_net_bind_service=+ep' /usr/bin/node20 as suggested by another post on the forum. The app still doesn’t bind on port 443. I haven’t encountered this issue on Rocky Linux, Ubuntu and Debian. More on forums.opensuse.org
🌐 forums.opensuse.org
1
0
September 26, 2025
🌐
Linux Man Pages
man7.org › linux › man-pages › man7 › capabilities.7.html
capabilities(7) - Linux manual page
CAP_MKNOD (since Linux 2.4) Create ... CAP_NET_ADMIN Perform various network-related operations: • interface configuration; • administration of IP firewall, masquerading, and accounting; • modify routing tables; • bind to any address for transparent proxying; • set type-of-service (TOS); • ...
🌐
Red Hat
access.redhat.com › solutions › 3479331
How to use setcap cap_net_bind_service with JBCS Apache httpd 2.4? - Red Hat Customer Portal
To run Apache httpd with port 80, it was used the following command: setcap cap_net_bind_service=+ep /opt/apache/jbcs-httpd24-2.4/httpd/sbin/httpd But after this configuration, Apache httpd does not take the configuration from LD_LIBRARY_PATH.
🌐
Apache
cwiki.apache.org › confluence › display › httpd › NonRootPortBinding
NonRootPortBinding - HTTPD - Apache Software Foundation
The capability we need to add is CAP_NET_BIND_SERVICE, which is explicitly defined as the capacity for an executable to bind to a port less than 1024. You need to be root to do that, so first, be root. Then, add the capability to the httpd binary: root@myhost # setcap cap_net_bind_service=+ep ...
🌐
Container Solutions
blog.container-solutions.com › linux-capabilities-in-practice
Linux Capabilities In Practice
September 25, 2019 - I’ve created a short program set_ambient that simply uses the cap-ng library to add the CAP_NET_BIND_SERVICE capability to the ambient set of a new process. Once compiled, we need to give it file privileges so that it has the correct capability: $ sudo setcap cap_net_bind_service+p set_ambient ...
Find elsewhere
Top answer
1 of 2
16

Until you asked the question I never even heard of this facility in Unix (file capabilities). I found this link which looks to have the solution as to how to make ld.so trust your shared libraries:

  • JDK-7157699 : can not run java after granting posix capabilities

excerpt from that post

When one is raising the privileges of an executable, the runtime loader (rtld), better know as ld.so will not link with libraries in untrusted paths. This is the way the ld.so(1) has been designed. If one needs to run such an executable, then you have to add that path to the trusted paths of ld.so, the following describes how to do so:

Fedora 11:
% uname -a
Linux localhost.localdomain 2.6.29.4-167.fc11.i686.PAE #1 SMP Wed May 27 17:28:22 EDT 2009 i686 i686 i386 GNU/Linux
% sudo setcap cap_net_raw+epi ./jdk1.7.0_04/bin/java
% ./jdk1.7.0_04/bin/java -version
./jdk1.7.0_04/bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory

Its kaput, Ok we are on the same page now, to fix this, create a file such as > this, with the path to libjli.so

% cat /etc/ld.so.conf.d/java.conf
/home/someuser/jdk1.7.0_04/jre/lib/i386/jli

This will add the the pathname to the trusted user path, that ld.so will use, to build its runtime cache, verify if ld.so is seeing it by doing this, need to run it as root, and a reboot may be necessary.

% ldconfig | grep libjli
libjli.so -> libjli.so
.......

Now test java:

% ./jdk1.7.0_04/bin/java -version
java version "1.7.0_04-ea"
Java(TM) SE Runtime Environment (build 1.7.0_04-ea-b18)

and there you have it.....

References

  • POSIX file capabilities: Parceling the power of root
  • This is the Linux kernel capabilities FAQ
  • capabilities man page
  • Capability-based security - wikipedia
  • Using File Capabilities Instead Of Setuid
2 of 2
1

Just to show the full process to enable Java listenign at port 80 (or any port below 1024):

  • For a JAVA_HOME:
    $> export JAVA_HOME=/usr/local/java/graalvm-ce-java8-20.2.0
    
  • You should enable the capability to the java binary:
    $> sudo /sbin/setcap 'cap_net_bind_service=ep' /usr/local/java/graalvm-ce-java8-20.2.0/bin/java
    
  • After that you will start to get some error when running java:
    $> java -version
    ./bin/java: error while loading shared libraries: libjli.so: cannot open shared object file: No such file or directory
    
  • To fix that you should update ldconfig. Just create a java.conf file:
    $> cat /etc/ld.so.conf.d/java.conf 
    /usr/local/java/graalvm-ce-java8-20.2.0/lib/amd64/jli
    /usr/local/java/graalvm-ce-java8-20.2.0/jre/lib/amd64/jli
    
    $> java -version
    
  • Now java works:
    $> java -version
    openjdk version "1.8.0_262"
    ...
    
Top answer
1 of 7
337

I'm not sure what the other answers and comments here are referring to. This is possible rather easily. There are two options, both which allow access to low-numbered ports without having to elevate the process to root:

Option 1: Use CAP_NET_BIND_SERVICE to grant low-numbered port access to a process:

With this you can grant permanent access to a specific binary to bind to low-numbered ports via the setcap command:

sudo setcap CAP_NET_BIND_SERVICE=+eip /path/to/binary

For more details on the e/i/p part, see cap_from_text.

After doing this, /path/to/binary will be able to bind to low-numbered ports. Note that you must use setcap on the binary itself rather than a symlink.

Option 2: Use authbind to grant one-time access, with finer user/group/port control:

The authbind (man page) tool exists precisely for this.

  1. Install authbind using your favorite package manager.

  2. Configure it to grant access to the relevant ports, e.g. to allow 80 and 443 from all users and groups:

     sudo touch /etc/authbind/byport/80
     sudo touch /etc/authbind/byport/443
     sudo chmod 777 /etc/authbind/byport/80
     sudo chmod 777 /etc/authbind/byport/443
    
  3. Now execute your command via authbind (optionally specifying --deep or other arguments, see the man page):

     authbind --deep /path/to/binary command line args
    

    E.g.

     authbind --deep java -jar SomeServer.jar
    

There are upsides and downsides to both of the above. Option 1 grants trust to the binary but provides no control over per-port access. Option 2 grants trust to the user/group and provides control over per-port access but older versions supported only IPv4 (since I originally wrote this, newer versions with IPv6 support were released).

2 of 7
60

I have a rather different approach. I wanted to use port 80 for a node.js server. I was unable to do it since Node.js was installed for a non-sudo user. I tried to use symlinks, but it didn't work for me.

Then I got to know that I can forward connections from one port to another port. So I started the server on port 3000 and set up a port forward from port 80 to port 3000.

This link provides the actual commands which can be used to do this. Here're the commands -

localhost/loopback

sudo iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 3000

external

sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 3000

I have used the second command and it worked for me. So I think this is a middle ground for not allowing user-process to access the lower ports directly, but giving them access using port-forwarding.

Top answer
1 of 2
4

I think setcap will be your answer. I think the real question here is: How will my system recognize when the webserver on the NFS has been touched so it can run a setcap command on it?

I think you'll want to set up an inotify or systemd.path to monitor this webserver. When that binary gets replaced, you'll detect it and trigger the setcap command that works for you. This works especially well if your webserver runs via systemd already.

Here's an example with systemd.path assuming your server runs as systemd service webserver.service

# /etc/systemd/system/webcap.path
[Unit]
Description=Watching changes in the webserver binary
# Start monitoring only after the webserver is running.
After=webserver.service

[Path]
# Whenever someone writes to this path (binary is replaced), do something
PathModified=/path/to/webserver
# This is the service you launch when the above condition is met
Unit=webcap.service

[Install]
#Whenever the webserver is started, this monitor will also start
WantedBy=webserver.service
# /etc/systemd/system/webcap.service
[Unit]
Description=Update caps of webserver

[Service]
Type=oneshot
ExecStart=ssetcap cap_net_bind_service=ep /path/to/webserver
2 of 2
3

While I liked Stewart's answer, it adds yet another piece to the pipeline that can break (systemd), so I ended up using capsh per this answer. I had to recompile it from source to get the ambient capabilities feature (I stored the resulting binary as /sbin/capsh2), then I was able to set this as the launch command:

/sbin/capsh2 --keep=1 --user=nonrootuser --inh=cap_net_bind_service --addamb=cap_net_bind_service -- -c /path/to/webserver

When this command is run as root, the webserver correctly starts as nonrootuser and is able to bind to ports 80 and 443 in "userspace".

Top answer
1 of 2
35

The way capabilities work in Linux is documented in man 7 capabilities.

Processes' capabilities in the effective set are against which permission checks are done. File capabilities are used during an execv call (which happens when you want to run another program1) to calculate the new capability sets for the process.

Files have two sets for capabilities, permitted and inheritable and effective bit.

Processes have three capability sets: effective, permitted and inheritable. There is also a bounding set, which limits which capabilities may be added later to a process' inherited set and affects how capabilities are calculated during a call to execv. Capabilities can only be dropped from the bounding set, not added.

Permissions checks for a process are checked against the process' effective set. A process can raise its capabilities from the permitted to the effective set (using capget and capset syscalls, the recommended APIs are respectively cap_get_proc and cap_set_proc).

Inheritable and bounding sets and file capabilities come into play during an execv syscall. During execv, new effective and permitted sets are calculated and the inherited and bounding sets stay unchanged. The algorithm is described in the capabilities man page:

P'(permitted) = (P(inheritable) & F(inheritable)) |
                (F(permitted) & cap_bset)

P'(effective) = F(effective) ? P'(permitted) : 0

P'(inheritable) = P(inheritable)    [i.e., unchanged]

Where P is the old capability set, P' is the capability set after execv and F is the file capability set.

If a capability is in both processes' inheritable set and the file's inheritable set (intersection/logical AND), it is added to the permitted set. The file's permitted set is added (union/logical OR) to it (if it is within the bounding set).

If the effective bit in file capabilities is set, all permitted capabilities are raised to effective after execv.

Capabilities in kernel are actually set for threads, but regarding file capabilities this distinction is usually relevant only if the process alters its own capabilities.

In your example capabilities cap_net_raw , cap_net_admin and cap_dac_override are added to the inherited and permitted sets and the effective bit is set. When your binary is executed, the process will have those capabilities in the effective and permitted sets if they are not limited by a bounding set.

[1] For the fork syscall, all the capabilities and the bounding set are copied from parent process. Changes in uid also have their own semantics for how capabilities are set in the effective and permitted sets.

2 of 2
19

Setting a capability on a file

sudo setcap 'cap_net_bind_service=ep' file_name

Setting multiple capabilities on a file

sudo setcap 'cap_net_bind_service=ep cap_sys_admin=ep' file_name

Removing all capabilities from a file

sudo setcap -r file_name

Checking capabilities for a file

getcap file_name

List of possible capabilities (some are really interesting)

https://linux.die.net/man/7/capabilities

Pitfall: setting capabilities does not really work for scripts. If you want your Python script to work, you need to set the capabilities on the Python executable itself. It's not ideal.

Note: setcap always overwrites the entire capability set when you run it. Most of the time, you see examples using setcap with + or - syntax, which I believe is a confusing piece of junk and does NOT work as you would expect from other tools like chmod. You can't use setcap multiple times to add different capabilities, it needs to be done in a single command.

🌐
openSUSE Forums
forums.opensuse.org › english › network/internet
Can't bind node to port 443 using setcap cap_net_bind_service - Network/Internet - openSUSE Forums
September 26, 2025 - I have tried setcap 'cap_net_bind_service=+ep' /usr/bin/node I have also tried setcap 'cap_net_bind_service=+ep' /usr/bin/node20 as suggested by another post on the forum. The app still doesn’t bind on port 443. I …
Top answer
1 of 2
7

The reason Solution 1: using a systemd socket doesn't work is that the binary must be built to accept the socket from systemd. It doesn't "just work" unfortunately.

Systemd passes the socket as file descriptor 3 (after stdin, stdout, stderr). Here's an example program (from my blog post here)

package main

import (
    "log"
    "net"
    "net/http"
    "os"
    "strconv"
)

func main() {
    http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
        w.Write([]byte("Hello World!"))
    })

    if os.Getenv("LISTEN_PID") == strconv.Itoa(os.Getpid()) {
        // systemd run
        f := os.NewFile(3, "from systemd")
        l, err := net.FileListener(f)
        if err != nil {
            log.Fatal(err)
        }
        http.Serve(l, nil)
    } else {
        // manual run
        log.Fatal(http.ListenAndServe(":8080", nil))
    }
}

You would have to ask goldfish to add support.

For the systemd capabilities (Solution 2) I don't know, but could it be that you also need SecureBits=keep-caps ? systemd should set that automatically, but maybe your version of systemd (8 months ago) didn't? Vault uses it: https://learn.hashicorp.com/vault/operations/ops-deployment-guide#step-3-configure-systemd

Another option would be to use SELinux, although that might be a "now you have two problems".

Personally in your situation I think I would put nginx in front of it. What did you end up doing?

2 of 2
5

I know this isn't exactly what you wanted and adds "another piece" to the puzzle but you could consider creating a systemd .service file and moving the applications listening port to >1023 (this allows non-root to bind to it), then create an iptables rule that redirects all traffic from port 443 to your new custom port like this:

iptables -t nat -A PREROUTING -i <incoming_interface> -p tcp --dport 443 -j REDIRECT --to-port 8443

In this example, all tcp traffic to port 443 would be transparently redirected to port 8443.

🌐
Arch Linux Forums
bbs.archlinux.org › viewtopic.php
[Solved] Unable to add CAP_NET_BIND_SERVICE capability to service / Networking, Server, and Protection / Arch Linux Forums
It can bind to port 80 when I run it as the gitea user. However, setcap does not work for systemd units. From what I understand, the correct method of doing this is in a systemd unit is through AmbientCapabilities. So I have added the following to /usr/lib/systemd/system/gitea.service · # Set port permissions capability SecureBits=keep-caps AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_ADMIN CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
🌐
Docker Community
forums.docker.com › general
"sudo setcap cap_net_bind_service".... does it survive docker update? - General - Docker Community Forums
August 15, 2024 - Hi, I’m using rootless and have set “cap_net_bind_service” as in the title. It’s been working without an issue. I’m not 100% sure but I believe, after updating docker, containers stopped working and I’ve started getting the famous “unprivileged port binding” error on “docker ...
🌐
GitHub
github.com › Kong › docker-kong › pull › 213 › files
setcap CAP_NET_BIND_SERVICE to support deploying Kong to port 80 in h… by JoyZhang66 · Pull Request #213 · Kong/docker-kong
I tried to deploy Kong1.0 to port ... kong:1.0 I checked the code and found only cap_net_raw was set but CAP_NET_BIND_SERVICE not, so I added setcap CAP_NET_BIND_SERVICE to support deploying Kong to port 80 in host network....
Author   Kong
🌐
PTC Community
community.ptc.com › t5 › ThingWorx-Developers › Linux-Tomcat-Port-80 › td-p › 966390
Solved: Linux - Tomcat - Port 80 - PTC Community
August 15, 2024 - Here are the steps to Java run on privileged ports in Linux: NOTE: $SPECROOT is /usr/Spectrum (you may have installed Spectrum in a different directory) 1. The setcap sets the capabilities of each specified filename to the capabilities specified. In this case, allow java to bind on privileged ...