2

We installed Java 11 on a server that is meant to monitor a network interface for traffic.

After the initial installation (yum install java-11-openjdk-devel.x86_64) the java command works properly for both root and a regular user.

However, our Java application will not be running as root. We then ran:

setcap cap_net_raw,cap_net_admin=eip /path/to/java

It sets the capabilities, and running java -version as root works fine.

But after running setcap, when I try to run java -version as a regular user, I see:

java: symbol lookup error: java: undefined symbol: JLI_InitArgProcessing

This seems to be an intended security protection as discussed here: Linux capabilities (setcap) seems to disable LD_LIBRARY_PATH

But my question is: How can I allow java to use these capabilities (network packet capture) under a regular user account?

Note: Unsetting the capabilities via setcap -r /path/to/java allows a regular user to run java again - so the issue is isolated to capabilities.

Craig Otis
  • 31,257
  • 32
  • 136
  • 234

1 Answers1

5

I was able to resolve this by adding this file:

/etc/ld.so.conf.d/java.conf

With the single-line contents:

/usr/lib/jvm/java-11-openjdk-11.0.1.13-3.0.1.el7_6.x86_64/lib/jli

And rebooting the server.

Obviously, that directory path should point to your specific JDK

Craig Otis
  • 31,257
  • 32
  • 136
  • 234