[Nfd-dev] NFD Ethernet faces and PrivilegeHelper

Davide Pesavento davide.pesavento at lip6.fr
Tue Mar 27 14:44:35 PDT 2018 

On Mon, Mar 26, 2018 at 10:24 PM, Junxiao Shi
<shijunxiao at email.arizona.edu> wrote:
> Dear folks
>
> I'm a bit confused on how Ethernet faces are activated in NFD.
>
> I have a backported NFD 0.6.1 running on a Debian Stretch system, and it

What is a "backported NFD 0.6.1"? 0.6.1 is an official NFD release,
I'm not sure what you backported...

> fails to create Ethernet faces.
> Mar 27 01:57:54 beaglebone nfd[9727]: 1522115874.916868 INFO:
> [PrivilegeHelper] dropped to effective uid=109 gid=116
> Mar 27 01:57:55 beaglebone nfd[9727]: 1522115874.919167 INFO:
> [EthernetChannel] [dev://eth0] Creating channel
> Mar 27 01:57:55 beaglebone nfd[9727]: 1522115874.938101 WARNING:
> [EthernetFactory] Cannot listen on eth0: pcap_activate: You don't have
> permission to capture on that device
> Mar 27 01:57:55 beaglebone nfd[9727]: 1522115874.944578 WARNING:
> [EthernetFactory] Cannot create multicast face on eth0: pcap_activate: You
> don't have permission to capture on that device
>
> UDP multicast faces are created normally:
> Mar 27 01:57:55 beaglebone nfd[9727]: 1522115875.016260 INFO:
> [PrivilegeHelper] elevated to effective uid=0 gid=0
> Mar 27 01:57:55 beaglebone nfd[9727]: 1522115875.016816 INFO:
> [PrivilegeHelper] dropped to effective uid=109 gid=116
> Mar 27 01:57:55 beaglebone nfd[9727]: 1522115875.024138 INFO:
> [MulticastUdpTransport]
> [id=0,local=udp4://192.168.5.10:47396,remote=udp4://224.0.23.170:56363]
> Creating transport
>
> In NFD source code I notice that a setsockopt call in UDP multicast face
> creation is elevated to root, but there isn't a runElevated wrapper around
> pcap_activate.

I have no idea if pcap_activate is the only function call that
requires root privileges in the EthernetTransport implementation. I
have personally never tested non-root scenarios, and the current code
was written with the assumption that it's running as root.

Wrapping pcap_activate in runElevated may or may not be enough. You
can try and open a ticket or submit a patch if it works.

> NDN testbed router seems to be able to create Ethernet faces with no
> problem, but they have disabled privilege dropping altogether.
>
> What's the recommended method to enable Ethernet faces for a PPA package
> deployment? Am I supposed to disable privilege dropping as well? If so,
> should this be configured in PPA's nfd.conf?

I don't know about the PPA's configuration file, but the original
nfd.conf.sample says that for Ethernet faces you either need to be
root or set the appropriate file capabilities on the nfd binary.

Davide

More information about the Nfd-dev mailing list