[Nfd-dev] NFD Ethernet faces and PrivilegeHelper

Junxiao Shi shijunxiao at email.arizona.edu
Tue Mar 27 19:50:05 PDT 2018 

Hi Davide

> I have a backported NFD 0.6.1 running on a Debian Stretch system, and it
>
> What is a "backported NFD 0.6.1"? 0.6.1 is an official NFD release,
> I'm not sure what you backported...
>
> I need to install DEB packages, because compiling on 512MB memory would
take days.
There isn’t an official package for Debian Stretch, so I followed
https://wiki.debian.org/CreatePackageFromPPA guide and backported Ubuntu
Artful packages to Debian Stretch.

> fails to create Ethernet faces.
> > Mar 27 01:57:54 beaglebone nfd[9727]: 1522115874.916868 INFO:
> > [PrivilegeHelper] dropped to effective uid=109 gid=116
> > Mar 27 01:57:55 beaglebone nfd[9727]: 1522115874.919167 INFO:
> > [EthernetChannel] [dev://eth0] Creating channel
> > Mar 27 01:57:55 beaglebone nfd[9727]: 1522115874.938101 WARNING:
> > [EthernetFactory] Cannot listen on eth0: pcap_activate: You don't have
> > permission to capture on that device
> > Mar 27 01:57:55 beaglebone nfd[9727]: 1522115874.944578 WARNING:
> > [EthernetFactory] Cannot create multicast face on eth0: pcap_activate:
> You
> > don't have permission to capture on that device
> >
> > In NFD source code I notice that a setsockopt call in UDP multicast face
> > creation is elevated to root, but there isn't a runElevated wrapper
> around
> > pcap_activate.
>
> I have no idea if pcap_activate is the only function call that
> requires root privileges in the EthernetTransport implementation. I
> have personally never tested non-root scenarios, and the current code
> was written with the assumption that it's running as root.
>
> Wrapping pcap_activate in runElevated may or may not be enough. You
> can try and open a ticket or submit a patch if it works.

Error message identifies pcap_activate as the troublemaker. Even if
elevating privilege only at this function works now, another version of
libpcap could have a different internal implementation that requires root
in another function.


> > NDN testbed router seems to be able to create Ethernet faces with no
> > problem, but they have disabled privilege dropping altogether.
> >
> > What's the recommended method to enable Ethernet faces for a PPA package
> > deployment? Am I supposed to disable privilege dropping as well? If so,
> > should this be configured in PPA's nfd.conf?
>
> I don't know about the PPA's configuration file, but the original
> nfd.conf.sample says that for Ethernet faces you either need to be
> root or set the appropriate file capabilities on the nfd binary.

PPA’s nfd.conf drops privilege to ndn:ndn. Are you suggesting PPA should do
‘setcap’, or not drop privileges at all?

Yours, Junxiao

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20180328/3daa4fd7/attachment.html>

More information about the Nfd-dev mailing list