2

Let's say I have some java application running on the host and do different things, and now I have built a jar that captures network traffic. While reading What's a least-privilege way to allow node.js to access network adapters on Linux?, it seems to me that the best way to apply the least privilege is to do use setcap:

setcap 'cap_net_raw,cap_net_admin=eip' /usr/local/bin/java

But here is the problem, if I setcap to Java, it then gives all java application to have ability to capture traffic. Is there a better way to do it?

A.Ho
  • 25
  • 3

1 Answers1

1

Create a wrapper program that has those capabilities, that just starts java on the correct jar file.

Joseph Sible-Reinstate Monica
  • 7,110
  • 3
  • 21
  • 35
  • Will this go back to the same problem? lets say I use a python script as a wrapper to start my jar, then my setcap will set python to have network capature ability. – A.Ho Nov 12 '19 at 19:07
  • 1
    @A.Ho a wrapper **program**, in a language that compiles to a native binary (e.g., C, C++, Rust, Haskell, etc.) – Joseph Sible-Reinstate Monica Nov 12 '19 at 19:30