[Nfd-dev] Push the Deployment of NDNCERT

Junxiao Shi shijunxiao at email.arizona.edu
Tue Nov 19 10:10:51 PST 2019 

Hi Hunter

As I noted below, you can use 'sudo HOME=/var/lib/ndn/ndncert -u ndn' to
access the 'ndn' user.

Yours, Junxiao

On Tue, Nov 19, 2019, 13:08 Hunter Dellaverson <hdellaverson at gmail.com>
wrote:

> Thanks so much Junxiao. Agree that it's bad practice to run as root here
> -- just thought about it as a temporary patch.
>
> To clarify: we don't actually have access to/control the ndn user -- will
> I still be able to implement this fix?
>
> Thanks again, and sorry for the trouble.
> Best,
> Hunter
>
> On Tue, Nov 19, 2019 at 9:59 AM Junxiao Shi <shijunxiao at email.arizona.edu>
> wrote:
>
>> Hi Hunter
>>
>> It is dangerous to run a networked process, such as ndncert-ca-server, as
>> root.
>> This also has nothing to do with whether op_yufeng can write to the
>> relevant directory.
>>
>> The proper solution is:
>>
>>    1. Create /var/lib/ndn/ndncert-ca directory, owned by 'ndn' user.
>>    2. ndncert-ca-server runs as 'ndn' user.
>>    3. In systemd unit file, set HOME environment variable to
>>    /var/lib/ndn/ndncert-ca . Reference: ndnpingserver systemd unit file
>>    <https://github.com/named-data/ndn-tools/blob/2cd6ae8495861416f90428ef9e59c2ec380a37f2/systemd/ndn-ping-server.service.in#L30>
>>    .
>>    4. Import the CA key to the KeyChain located in
>>    /var/lib/ndn/ndncert-ca . Whenever you access this KeyChain, you should
>>    impersonate as 'ndn' user using a command line like `sudo
>>    HOME=/var/lib/ndn/ndncert-ca -u ndn ndnsec list -c`. Never access this
>>    KeyChain as root or any other user.
>>
>>
>> Yours, Junxiao
>>
>> On Tue, Nov 19, 2019 at 12:28 PM Hunter Dellaverson <
>> hdellaverson at gmail.com> wrote:
>>
>>> Ah, so sorry, just realized a quick hotfix -- changed systemd to be
>>> running as root. Should be working now.
>>> Best,
>>> Hunter
>>>
>>
>> ---------- Forwarded message ---------
>> From: Hunter Dellaverson <hdellaverson at gmail.com>
>> Date: Tue, Nov 19, 2019 at 12:22 PM
>> Subject: Re: Push the Deployment of NDNCERT
>>
>> Hi Junxiao!
>> As far as I can tell, systemd is currently having a permissions issue [1]
>> (image generated from journalctl command). Ndncert tries to create a file
>> in /var/lib/ndn, which is owned by the ndn group [2] (ls -al). Yufeng,
>> though part of the ndn group [3] doesn't have write permissions, if I'm
>> reading this correctly. I'm hesitant to change permissions on the spurs
>> server without permission, though from what I understand someone shot a
>> message to John D. Hart. In the meantime, I've manually restarted the
>> server.
>> If you have a quick/easy fix for this, would be much appreciated.
>> Best,
>> Hunter
>>
>> On Tue, Nov 19, 2019 at 6:21 AM Junxiao Shi <shijunxiao at email.arizona.edu>
>> wrote:
>>
>>> Hi Yufeng
>>>
>>> Did you add the necessary flags into the systemd file? Or did you
>>> disable systemd and start the server in a console?
>>> Server crashed 10 minutes ago, and systemd didn't bring it up.
>>>
>>> Yours, Junxiao
>>>
>>>
>>>
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.lists.cs.ucla.edu/pipermail/nfd-dev/attachments/20191119/1a9323c8/attachment.html>

More information about the Nfd-dev mailing list