<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif">Is authbind or privbind a good alternative? it probably has the same effect of setcap but with a little more security.<br><br></div><div class="gmail_default" style="font-family:verdana,sans-serif">It seems the best choice is iptables.<br></div><div class="gmail_default" style="font-family:verdana,sans-serif"><br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><br>Jorge Solórzano<br><a href="http://www.jorsol.com">http://www.jorsol.com</a></div></div>
<br><div class="gmail_quote">On Fri, Jan 16, 2015 at 9:31 PM, Jason T. Greene <span dir="ltr"><<a href="mailto:jason.greene@redhat.com" target="_blank">jason.greene@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class=""><br>
> On Jan 16, 2015, at 5:37 PM, denstar <<a href="mailto:valliantster@gmail.com">valliantster@gmail.com</a>> wrote:<br>
><br>
> On 01/16/2015 04:19 PM, Jason Greene wrote:<br>
> ...<br>
> [snip helpful example rules]<br>
>><br>
>> B. Using setcap to grant perms for java to bind lower ports:<br>
><br>
> FWIW, this would open things up for Java in general, so while it should<br>
> perform better, it'll also be a little more risky, which may or may not<br>
> be a concern.<br>
<br>
</span>Right all Java code using this JVM would have access to binding *all ports* (e.g a Java program could bind say the ssh port (assuming it's not running) and sniff passwords). So it would be a good idea to have a dedicated JVM just for WildFly and to limit the execution permission to just a dedicated WildFly user. That way you ensure only the wildfly process can bind these ports.<br>
<br>
Alternatively, you could use something like docker which automates capability assignment and provides some extra isolation. It's overkill though if the only thing running on a box is a wildfly process.<br>
<br>
Just a note that you will still get fantastic performance with iptables port forwarding since the particular rule is completely stateless, and the action is just to modify the packet in memory. It's only extreme scenarios where that overhead is worth avoiding.<br>
<span class=""><font color="#888888"><br>
-Jason<br>
<br>
<br>
<br>
</font></span></blockquote></div><br></div></div>