Project

General

Profile

Actions

Bug #4647

closed

Ethernet faces are not created after dropping privileges

Added by Junxiao Shi over 6 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Faces
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
1.00 h

Description

In NFD 0.6.2 PPA package, nfd.conf drops root privilege and seteuid to "ndn" user, and the installation script executes setcap on the NFD binary.

As reported in #4565-3, this is ineffective because seteuid automatically clears all capabilities unless the SECBIT_KEEP_CAPS flag is set on the process, and Ethernet face creation fails with "pcap_activate: You don't have permission to capture on that device" error.

To fix this issue, PcapHelper should wrap pcap_activate in PrivilegeHelper::runElevated.


Related issues 1 (0 open1 closed)

Related to Packaging - Bug #4565: nfd: Ethernet faces are not createdClosedJunxiao Shi

Actions
Actions #1

Updated by Junxiao Shi over 6 years ago

  • Related to Bug #4565: nfd: Ethernet faces are not created added
Actions #2

Updated by Davide Pesavento over 6 years ago

  • Subject changed from Ethernet faces are not created after dropping privilege to Ethernet faces are not created after dropping privileges
  • Description updated (diff)
  • Assignee set to Davide Pesavento
Actions #3

Updated by Davide Pesavento almost 5 years ago

  • Target version changed from v0.7 to 22.02
Actions #4

Updated by Junxiao Shi almost 4 years ago

  • Status changed from New to Code review
  • Assignee changed from Davide Pesavento to Junxiao Shi
  • % Done changed from 0 to 100

It's my third time running into this issue so I did it.
https://gerrit.named-data.net/c/NFD/+/6329

After this change, Ethernet face works with either NFD started as root, or NFD started as non-root with capabilities.

Start NFD binary as root

Setup steps:

sudo groupadd --system ndn
sudo useradd --system --gid ndn --create-home --home-dir /var/lib/ndn --shell /usr/sbin/nologin ndn

cd /usr/local/etc/ndn
sudo cp nfd.conf.sample nfd.conf
sudo infoedit -f nfd.conf -s general.user -v ndn
sudo infoedit -f nfd.conf -s general.group -v ndn

sudo HOME=/var/lib/ndn -u ndn ndnsec key-gen /operator
sudo HOME=/var/lib/ndn nfd

NFD console log:

1611758413.846030  INFO: [nfd.PrivilegeHelper] elevated to effective uid=0 gid=0
1611758413.887127  INFO: [nfd.PrivilegeHelper] dropped to effective uid=998 gid=998
1611758413.890453  INFO: [nfd.FaceTable] Added face id=256 remote=ether://[01:00:5e:00:17:aa] local=dev://eth0

Face list:

$ nfdc face list scheme ether
faceid=256 remote=ether://[01:00:5e:00:17:aa] local=dev://eth0 congestion={base-marking-interval=100ms default-threshold=65536B} mtu=1500 counters={in={0i 0d 0n 0B} out={0i 0d 0n 0B}} flags={non-local permanent multi-access}

Start NFD binary as non-root

Setup steps:

sudo groupadd --system ndn
sudo useradd --system --gid ndn --create-home --home-dir /var/lib/ndn --shell /usr/sbin/nologin ndn

cd /usr/local/etc/ndn
sudo cp nfd.conf.sample nfd.conf
sudo infoedit -f nfd.conf -s face_system.unix.path -v /tmp/nfd.sock

sudo setcap cap_net_raw=eip /usr/local/bin/nfd
sudo HOME=/var/lib/ndn -u ndn ndnsec key-gen /operator
sudo HOME=/var/lib/ndn -u ndn nfd

NFD console log:

1611758639.241697  INFO: [nfd.FaceTable] Added face id=256 remote=ether://[01:00:5e:00:17:aa] local=dev://eth0

Face list:

$ NDN_CLIENT_TRANSPORT=unix:///tmp/nfd.sock nfdc face list scheme ether
faceid=256 remote=ether://[01:00:5e:00:17:aa] local=dev://eth0 congestion={base-marking-interval=100ms default-threshold=65536B} mtu=1500 counters={in={0i 0d 0n 0B} out={0i 0d 0n 0B}} flags={non-local permanent multi-access}
Actions #5

Updated by Davide Pesavento almost 4 years ago

So what are capabilities used for now? In the second scenario, you are still using sudo to run nfd, so it's not really "start as non-root".

Actions #6

Updated by Junxiao Shi almost 4 years ago

In the second scenario, you are still using sudo to run nfd, so it's not really "start as non-root".

The command is sudo -u ndn nfd, so NFD binary is running as ndn user that does not have root privilege.
Capabilities are needed in this case.

(there was a copy-paste error in note-4 that has been corrected)

Actions #7

Updated by Davide Pesavento almost 4 years ago

Ok, makes sense now.

Actions #8

Updated by Junxiao Shi almost 4 years ago

  • Status changed from Code review to Closed
Actions

Also available in: Atom PDF