Bug #4647
closed
Ethernet faces are not created after dropping privileges
100%
Description
In NFD 0.6.2 PPA package, nfd.conf drops root privilege and seteuid to "ndn" user, and the installation script executes setcap on the NFD binary.
As reported in #4565-3, this is ineffective because seteuid automatically clears all capabilities unless the SECBIT_KEEP_CAPS flag is set on the process, and Ethernet face creation fails with "pcap_activate: You don't have permission to capture on that device" error.
To fix this issue, PcapHelper should wrap pcap_activate in PrivilegeHelper::runElevated.
Updated by Junxiao Shi over 6 years ago
- Related to Bug #4565: nfd: Ethernet faces are not created added
Updated by Davide Pesavento over 6 years ago
- Subject changed from Ethernet faces are not created after dropping privilege to Ethernet faces are not created after dropping privileges
- Description updated (diff)
- Assignee set to Davide Pesavento
Updated by Davide Pesavento almost 5 years ago
- Target version changed from v0.7 to 22.02
Updated by Junxiao Shi almost 4 years ago
- Status changed from New to Code review
- Assignee changed from Davide Pesavento to Junxiao Shi
- % Done changed from 0 to 100
It's my third time running into this issue so I did it.
https://gerrit.named-data.net/c/NFD/+/6329
After this change, Ethernet face works with either NFD started as root, or NFD started as non-root with capabilities.
Start NFD binary as root¶
Setup steps:
sudo groupadd --system ndn
sudo useradd --system --gid ndn --create-home --home-dir /var/lib/ndn --shell /usr/sbin/nologin ndn
cd /usr/local/etc/ndn
sudo cp nfd.conf.sample nfd.conf
sudo infoedit -f nfd.conf -s general.user -v ndn
sudo infoedit -f nfd.conf -s general.group -v ndn
sudo HOME=/var/lib/ndn -u ndn ndnsec key-gen /operator
sudo HOME=/var/lib/ndn nfd
NFD console log:
1611758413.846030 INFO: [nfd.PrivilegeHelper] elevated to effective uid=0 gid=0
1611758413.887127 INFO: [nfd.PrivilegeHelper] dropped to effective uid=998 gid=998
1611758413.890453 INFO: [nfd.FaceTable] Added face id=256 remote=ether://[01:00:5e:00:17:aa] local=dev://eth0
Face list:
$ nfdc face list scheme ether
faceid=256 remote=ether://[01:00:5e:00:17:aa] local=dev://eth0 congestion={base-marking-interval=100ms default-threshold=65536B} mtu=1500 counters={in={0i 0d 0n 0B} out={0i 0d 0n 0B}} flags={non-local permanent multi-access}
Start NFD binary as non-root¶
Setup steps:
sudo groupadd --system ndn
sudo useradd --system --gid ndn --create-home --home-dir /var/lib/ndn --shell /usr/sbin/nologin ndn
cd /usr/local/etc/ndn
sudo cp nfd.conf.sample nfd.conf
sudo infoedit -f nfd.conf -s face_system.unix.path -v /tmp/nfd.sock
sudo setcap cap_net_raw=eip /usr/local/bin/nfd
sudo HOME=/var/lib/ndn -u ndn ndnsec key-gen /operator
sudo HOME=/var/lib/ndn -u ndn nfd
NFD console log:
1611758639.241697 INFO: [nfd.FaceTable] Added face id=256 remote=ether://[01:00:5e:00:17:aa] local=dev://eth0
Face list:
$ NDN_CLIENT_TRANSPORT=unix:///tmp/nfd.sock nfdc face list scheme ether
faceid=256 remote=ether://[01:00:5e:00:17:aa] local=dev://eth0 congestion={base-marking-interval=100ms default-threshold=65536B} mtu=1500 counters={in={0i 0d 0n 0B} out={0i 0d 0n 0B}} flags={non-local permanent multi-access}
Updated by Davide Pesavento almost 4 years ago
So what are capabilities used for now? In the second scenario, you are still using sudo to run nfd, so it's not really "start as non-root".
Updated by Junxiao Shi almost 4 years ago
In the second scenario, you are still using
sudoto run nfd, so it's not really "start as non-root".
The command is sudo -u ndn nfd, so NFD binary is running as ndn user that does not have root privilege.
Capabilities are needed in this case.
(there was a copy-paste error in note-4 that has been corrected)
Updated by Junxiao Shi almost 4 years ago
- Status changed from Code review to Closed