Linux capabilities

Bind ports below 1024 without root on GNU/Linux

For Debian install libcap2-bin

If your linux is 2.6.26 or newer, you may no longer need to patch linux as below.

For superuser ports, try setcap cap_net_bind_service=+ep /path/to/program

Also can do setcap cap_ipc_lock,cap_sys_nice=+ep /usr/bin/jackd and enjoy realtime scheduling in jack. You can also do this for alsaplayer to enable the realtime option there.

If you want to use wireshark from a non-root account, do setcap cap_net_raw=+ep /usr/bin/dumpcap. Now you can run wireshark from a normal account and choose to capture from the network.

If linux is older than about 2.6.18…

You'll need to enable capabilities in Linux by editing /usr/src/linux/include/linux/capability.h to make CAP_INIT_EFF_SET equal to CAP_FULL_SET. Like this.

Re-compile and install linux with capabilites and commoncap modules and then modprobe commoncap

Now you can give any program access to ports less than 1024 by executing something like sudo setpcaps cap_net_bind_service+eip `pidof program`. The program itself never has or gets root privieges by this way.

The realtime priority of jackd could be checked with chrt -p `ps -C jackd -o pid=`. chrt can be found in the schedutils package. You now see jackd bear a priority of RT within the top program.

Of course you need to allow users to do this by letting setpcaps run as root to do its work in /etc/sudoers file.

You might co-erce Adobe Flash to try jackplug with FLASH_ALSA_DEVICE=plug:SLAVE=jack set in the environment variables.

Modifying your servers to use setpcaps

It may also be useful to insert a slight delay with sleep(1) in the main() function of some programs so that setpcaps has time to do its work before the background program attempts to bind ports under 1024.

That works in C programs, in python can put something like this near the beginning

import select
select.select([],[],[],1)