Bug #4647: Ethernet faces are not created after dropping privileges - NFD - NDN project issue tracking system

Bug #4647

closed

Ethernet faces are not created after dropping privileges

Added by Junxiao Shi almost 6 years ago. Updated about 3 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Junxiao Shi

Category:

Faces

Target version:

22.02

Start date:

Due date:

% Done:

100%

Estimated time:

1.00 h

Description

In NFD 0.6.2 PPA package, nfd.conf drops root privilege and seteuid to "ndn" user, and the installation script executes setcap on the NFD binary.

As reported in #4565-3, this is ineffective because seteuid automatically clears all capabilities unless the SECBIT_KEEP_CAPS flag is set on the process, and Ethernet face creation fails with "pcap_activate: You don't have permission to capture on that device" error.

To fix this issue, PcapHelper should wrap pcap_activate in PrivilegeHelper::runElevated.

Related issues 1 (0 open — 1 closed)

Related to Packaging - Bug #4565: nfd: Ethernet faces are not created

Closed

Junxiao Shi

Actions

Issue # Delay: days Cancel

History
Notes
Property changes

Actions

Copy link

Updated by Junxiao Shi almost 6 years ago

Related to Bug #4565: nfd: Ethernet faces are not created added

Actions

Copy link

Updated by Davide Pesavento almost 6 years ago

Subject changed from Ethernet faces are not created after dropping privilege to Ethernet faces are not created after dropping privileges
Description updated (diff)
Assignee set to Davide Pesavento

Actions

Copy link

Updated by Davide Pesavento over 4 years ago

Target version changed from v0.7 to 22.02

Actions

Copy link

Updated by Junxiao Shi about 3 years ago

Status changed from New to Code review
Assignee changed from Davide Pesavento to Junxiao Shi
% Done changed from 0 to 100

It's my third time running into this issue so I did it.
https://gerrit.named-data.net/c/NFD/+/6329

After this change, Ethernet face works with either NFD started as root, or NFD started as non-root with capabilities.

Start NFD binary as root¶

Setup steps:

sudo groupadd --system ndn
sudo useradd --system --gid ndn --create-home --home-dir /var/lib/ndn --shell /usr/sbin/nologin ndn

cd /usr/local/etc/ndn
sudo cp nfd.conf.sample nfd.conf
sudo infoedit -f nfd.conf -s general.user -v ndn
sudo infoedit -f nfd.conf -s general.group -v ndn

sudo HOME=/var/lib/ndn -u ndn ndnsec key-gen /operator
sudo HOME=/var/lib/ndn nfd

NFD console log:

1611758413.846030  INFO: [nfd.PrivilegeHelper] elevated to effective uid=0 gid=0
1611758413.887127  INFO: [nfd.PrivilegeHelper] dropped to effective uid=998 gid=998
1611758413.890453  INFO: [nfd.FaceTable] Added face id=256 remote=ether://[01:00:5e:00:17:aa] local=dev://eth0

Face list:

$ nfdc face list scheme ether
faceid=256 remote=ether://[01:00:5e:00:17:aa] local=dev://eth0 congestion={base-marking-interval=100ms default-threshold=65536B} mtu=1500 counters={in={0i 0d 0n 0B} out={0i 0d 0n 0B}} flags={non-local permanent multi-access}

Start NFD binary as non-root¶

Setup steps:

sudo groupadd --system ndn
sudo useradd --system --gid ndn --create-home --home-dir /var/lib/ndn --shell /usr/sbin/nologin ndn

cd /usr/local/etc/ndn
sudo cp nfd.conf.sample nfd.conf
sudo infoedit -f nfd.conf -s face_system.unix.path -v /tmp/nfd.sock

sudo setcap cap_net_raw=eip /usr/local/bin/nfd
sudo HOME=/var/lib/ndn -u ndn ndnsec key-gen /operator
sudo HOME=/var/lib/ndn -u ndn nfd

NFD console log:

1611758639.241697  INFO: [nfd.FaceTable] Added face id=256 remote=ether://[01:00:5e:00:17:aa] local=dev://eth0

Face list:

$ NDN_CLIENT_TRANSPORT=unix:///tmp/nfd.sock nfdc face list scheme ether
faceid=256 remote=ether://[01:00:5e:00:17:aa] local=dev://eth0 congestion={base-marking-interval=100ms default-threshold=65536B} mtu=1500 counters={in={0i 0d 0n 0B} out={0i 0d 0n 0B}} flags={non-local permanent multi-access}

Actions

Copy link