[Nfd-dev] Push the Deployment of NDNCERT

Junxiao Shi shijunxiao at email.arizona.edu
Tue Nov 19 09:59:01 PST 2019 

Hi Hunter

It is dangerous to run a networked process, such as ndncert-ca-server, as
root.
This also has nothing to do with whether op_yufeng can write to the
relevant directory.

The proper solution is:

   1. Create /var/lib/ndn/ndncert-ca directory, owned by 'ndn' user.
   2. ndncert-ca-server runs as 'ndn' user.
   3. In systemd unit file, set HOME environment variable to
   /var/lib/ndn/ndncert-ca . Reference: ndnpingserver systemd unit file
   <https://github.com/named-data/ndn-tools/blob/2cd6ae8495861416f90428ef9e59c2ec380a37f2/systemd/ndn-ping-server.service.in#L30>
   .
   4. Import the CA key to the KeyChain located in  /var/lib/ndn/ndncert-ca
   . Whenever you access this KeyChain, you should impersonate as 'ndn' user
   using a command line like `sudo HOME=/var/lib/ndn/ndncert-ca -u ndn ndnsec
   list -c`. Never access this KeyChain as root or any other user.


Yours, Junxiao

On Tue, Nov 19, 2019 at 12:28 PM Hunter Dellaverson <hdellaverson at gmail.com>
wrote:

> Ah, so sorry, just realized a quick hotfix -- changed systemd to be
> running as root. Should be working now.
> Best,
> Hunter
>

---------- Forwarded message ---------
From: Hunter Dellaverson <hdellaverson at gmail.com>
Date: Tue, Nov 19, 2019 at 12:22 PM
Subject: Re: Push the Deployment of NDNCERT

Hi Junxiao!
As far as I can tell, systemd is currently having a permissions issue [1]
(image generated from journalctl command). Ndncert tries to create a file
in /var/lib/ndn, which is owned by the ndn group [2] (ls -al). Yufeng,
though part of the ndn group [3] doesn't have write permissions, if I'm
reading this correctly. I'm hesitant to change permissions on the spurs
server without permission, though from what I understand someone shot a
message to John D. Hart. In the meantime, I've manually restarted the
server.
If you have a quick/easy fix for this, would be much appreciated.
Best,
Hunter

On Tue, Nov 19, 2019 at 6:21 AM Junxiao Shi <shijunxiao at email.arizona.edu>
wrote:

> Hi Yufeng
>
> Did you add the necessary flags into the systemd file? Or did you disable
> systemd and start the server in a console?
> Server crashed 10 minutes ago, and systemd didn't bring it up.
>
> Yours, Junxiao
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20191119/6609a096/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1.png
Type: image/png
Size: 353910 bytes
Desc: not available
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20191119/6609a096/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2.png
Type: image/png
Size: 117576 bytes
Desc: not available
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20191119/6609a096/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 3.png
Type: image/png
Size: 27258 bytes
Desc: not available
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20191119/6609a096/attachment-0005.png>

More information about the Nfd-dev mailing list