Clarification regarding Unix socket mode (-U)

[Krisscut]

Hi,

Today I investigated an issue where I was receiving a lot of error messages due to the NACM:

We are running netopeer2-server with the Unix socket option added (-U), and then after the initial startup we tried to connect through this unix socket with the connect --unix cmd.

On the server side, NACM was configured with the following:

<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
  <enable-nacm>true</enable-nacm>
  <groups>
    <group>
      <name>admin</name>
      <user-name>admin</user-name>
      <user-name>user</user-name>
    </group>
    <group>
      <name>limited</name>
      <user-name>netconf</user-name>
      <user-name>oranuser@o-ran.org</user-name>
      <user-name>user</user-name>
    </group>
    <group>
      <name>guest</name>
      <user-name>guest</user-name>
    </group>
    <group>
      <name>sudo</name>
      <user-name>xranuser</user-name>
      <user-name>xranuser1</user-name>
      <user-name>xranuser2</user-name>
      <user-name>docomo999</user-name>
    </group>
  </groups>
  <rule-list>
    <name>guest-acl</name>
    <group>guest</group>
    <rule>
      <name>deny-ncm</name>
      <module-name>ietf-netconf-monitoring</module-name>
      <access-operations>*</access-operations>
      <action>deny</action>
      <comment>
             Do not allow guests any access to the netconf
             monitoring information.
         </comment>
    </rule>
  </rule-list>
  <rule-list>
    <name>limited-acl</name>
    <group>limited</group>
    <rule>
      <name>permit-all</name>
      <module-name>*</module-name>
      <access-operations>*</access-operations>
      <action>permit</action>
      <comment>
             Allow the admin group complete access to all
             operations and data.
         </comment>
    </rule>
  </rule-list>
  <rule-list>
    <name>admin-acl</name>
    <group>admin</group>
    <rule>
      <name>permit-all</name>
      <module-name>*</module-name>
      <access-operations>*</access-operations>
      <action>permit</action>
      <comment>
             Allow the admin group complete access to all
             operations and data.
         </comment>
    </rule>
  </rule-list>
  <rule-list>
    <name>sudo-acl</name>
    <group>sudo</group>
    <rule>
      <name>deny_ald</name>
      <module-name>o-ran-ald</module-name>
      <access-operations>update create delete</access-operations>
      <action>deny</action>
      <comment>
             Do not allow sudo any access to the netconf
             monitoring information.
         </comment>
    </rule>
    <rule>
      <name>permit_ald</name>
      <module-name>o-ran-ald</module-name>
      <access-operations>exec read</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group access to some
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>permit_ald_port</name>
      <module-name>o-ran-ald-port</module-name>
      <access-operations>*</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group complete access to all
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>permit_antenna_calibration</name>
      <module-name>o-ran-antenna-calibration</module-name>
      <access-operations>*</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group  access to all
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>deny_beamforming</name>
      <module-name>o-ran-beamforming</module-name>
      <access-operations>update create delete</access-operations>
      <action>deny</action>
      <comment>
             Do not allow sudo any access to the netconf
             monitoring information.
         </comment>
    </rule>
    <rule>
      <name>permit_beamforming</name>
      <module-name>o-ran-beamforming</module-name>
      <access-operations>read exec</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group  access to some
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>deny_delay_management</name>
      <module-name>o-ran-delay-management</module-name>
      <access-operations>exec</access-operations>
      <action>deny</action>
      <comment>
             Do not allow sudo any access to the netconf
             monitoring information.
         </comment>
    </rule>
    <rule>
      <name>permit_delay_management</name>
      <module-name>o-ran-delay-management</module-name>
      <access-operations>read update create delete</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group  access to some
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>deny_dhcp</name>
      <module-name>o-ran-dhcp</module-name>
      <access-operations>update create delete exec</access-operations>
      <action>deny</action>
      <comment>
             Do not allow sudo any access to the netconf
             monitoring information.
         </comment>
    </rule>
    <rule>
      <name>permit_dhcp</name>
      <module-name>o-ran-dhcp</module-name>
      <access-operations>read</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group  access to some
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>deny_ethernet_forwarding</name>
      <module-name>o-ran-ethernet-forwarding</module-name>
      <access-operations>exec</access-operations>
      <action>deny</action>
      <comment>
             Do not allow sudo any access to the netconf
             monitoring information.
         </comment>
    </rule>
    <rule>
      <name>permit_ethernet_forwarding</name>
      <module-name>o-ran-ethernet-forwarding</module-name>
      <access-operations>update create delete read</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group  access to some
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>permit_externalio</name>
      <module-name>o-ran-externalio</module-name>
      <access-operations>*</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group complete access to all
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>deny_fan</name>
      <module-name>o-ran-fan</module-name>
      <access-operations>update create delete exec</access-operations>
      <action>deny</action>
      <comment>
             Do not allow sudo any access to the netconf
             monitoring information.
         </comment>
    </rule>
    <rule>
      <name>permit_fan</name>
      <module-name>o-ran-fan</module-name>
      <access-operations>read</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group  access to some
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>deny_file_management</name>
      <module-name>o-ran-file-management</module-name>
      <access-operations>update create delete</access-operations>
      <action>deny</action>
      <comment>
             Do not allow sudo any access to the netconf
             monitoring information.
         </comment>
    </rule>
    <rule>
      <name>permit_file_management</name>
      <module-name>o-ran-file-management</module-name>
      <access-operations>exec read</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group  access to some
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>deny_fm</name>
      <module-name>o-ran-fm</module-name>
      <access-operations>update create delete</access-operations>
      <action>deny</action>
      <comment>
             Do not allow sudo any access to the netconf
             monitoring information.
         </comment>
    </rule>
    <rule>
      <name>permit_fm</name>
      <module-name>o-ran-fm</module-name>
      <access-operations>read exec</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group  access to some
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>permit_hardware</name>
      <module-name>o-ran-hardware</module-name>
      <access-operations>*</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group complete access to all
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>deny_import_db</name>
      <module-name>o-ran-import-db</module-name>
      <access-operations>exec</access-operations>
      <action>deny</action>
      <comment>
             Do not allow sudo any access to the netconf
             monitoring information.
         </comment>
    </rule>
    <rule>
      <name>permit_import_db</name>
      <module-name>o-ran-import-db</module-name>
      <access-operations>update create delete read</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group  access to some
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>permit_interfaces</name>
      <module-name>o-ran-interfaces</module-name>
      <access-operations>*</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group complete access to all
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>deny_laa</name>
      <module-name>o-ran-laa</module-name>
      <access-operations>exec</access-operations>
      <action>deny</action>
      <comment>
             Do not allow sudo any access to the netconf
             monitoring information.
         </comment>
    </rule>
    <rule>
      <name>permit_laa</name>
      <module-name>o-ran-laa</module-name>
      <access-operations>read update create delete</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group  access to some
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>deny_laa_operations</name>
      <module-name>o-ran-laa-operations</module-name>
      <access-operations>update create delete</access-operations>
      <action>deny</action>
      <comment>
             Do not allow sudo any access to the netconf
             monitoring information.
         </comment>
    </rule>
    <rule>
      <name>permit_laa_operations</name>
      <module-name>o-ran-laa-operations</module-name>
      <access-operations>exec read</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group  access to some
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>deny_lbm</name>
      <module-name>o-ran-lbm</module-name>
      <access-operations>exec</access-operations>
      <action>deny</action>
      <comment>
             Do not allow sudo any access to the netconf
             monitoring information.
         </comment>
    </rule>
    <rule>
      <name>permit_lbm</name>
      <module-name>o-ran-lbm</module-name>
      <access-operations>update create delete read</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group  access to some
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>deny_cap</name>
      <module-name>o-ran-cap</module-name>
      <access-operations>exec</access-operations>
      <action>deny</action>
      <comment>
             Do not allow sudo any access to the netconf
             monitoring information.
         </comment>
    </rule>
    <rule>
      <name>permit_cap</name>
      <module-name>o-ran-cap</module-name>
      <access-operations>update create delete read</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group  access to some
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>deny_mplane_int</name>
      <module-name>o-ran-mplane-int</module-name>
      <access-operations>exec</access-operations>
      <action>deny</action>
      <comment>
             Do not allow sudo any access to the netconf
             monitoring information.
         </comment>
    </rule>
    <rule>
      <name>permit_mplane_int</name>
      <module-name>o-ran-mplane-int</module-name>
      <access-operations>update create delete read</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group  access to some
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>permit_operations</name>
      <module-name>o-ran-operations</module-name>
      <access-operations>*</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group complete access to all
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>permit_performance_management</name>
      <module-name>o-ran-performance-management</module-name>
      <access-operations>*</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group complete access to all
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>deny_processing_element</name>
      <module-name>o-ran-processing-element</module-name>
      <access-operations>exec</access-operations>
      <action>deny</action>
      <comment>
             Do not allow sudo any access to the netconf
             monitoring information.
         </comment>
    </rule>
    <rule>
      <name>permit_processing_element</name>
      <module-name>o-ran-processing-element</module-name>
      <access-operations>update create delete read</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group  access to some
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>deny_software_management</name>
      <module-name>o-ran-software-management</module-name>
      <access-operations>update create delete</access-operations>
      <action>deny</action>
      <comment>
             Do not allow sudo any access to the netconf
             monitoring information.
         </comment>
    </rule>
    <rule>
      <name>permit_software_management</name>
      <module-name>o-ran-software-management</module-name>
      <access-operations>exec read</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group  access to some
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>permit_supervision</name>
      <module-name>o-ran-supervision</module-name>
      <access-operations>*</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group complete access to all
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>permit_sync</name>
      <module-name>o-ran-sync</module-name>
      <access-operations>*</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group complete access to all
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>deny_trace</name>
      <module-name>o-ran-trace</module-name>
      <access-operations>update create delete</access-operations>
      <action>deny</action>
      <comment>
             Do not allow sudo any access to the netconf
             monitoring information.
         </comment>
    </rule>
    <rule>
      <name>permit_trace</name>
      <module-name>o-ran-trace</module-name>
      <access-operations>exec read</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group  access to some
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>deny_transceiver</name>
      <module-name>o-ran-transceiver</module-name>
      <access-operations>exec</access-operations>
      <action>deny</action>
      <comment>
             Do not allow sudo any access to the netconf
             monitoring information.
         </comment>
    </rule>
    <rule>
      <name>permit_transceiver</name>
      <module-name>o-ran-transceiver</module-name>
      <access-operations>update create delete read</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group  access to some
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>deny_troubleshooting</name>
      <module-name>o-ran-troubleshooting</module-name>
      <access-operations>update create delete</access-operations>
      <action>deny</action>
      <comment>
             Do not allow sudo any access to the netconf
             monitoring information.
         </comment>
    </rule>
    <rule>
      <name>permit_troubleshooting</name>
      <module-name>o-ran-troubleshooting</module-name>
      <access-operations>exec read</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group  access to some
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>deny_udp_echo</name>
      <module-name>o-ran-udp-echo</module-name>
      <access-operations>exec</access-operations>
      <action>deny</action>
      <comment>
             Do not allow sudo any access to the netconf
             monitoring information.
         </comment>
    </rule>
    <rule>
      <name>permit_udp_echo</name>
      <module-name>o-ran-udp-echo</module-name>
      <access-operations>update create delete read</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group  access to some
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>permit_uplane_conf</name>
      <module-name>o-ran-uplane-conf</module-name>
      <access-operations>*</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group complete access to all
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>permit_usermgmt</name>
      <module-name>o-ran-usermgmt</module-name>
      <access-operations>*</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group complete access to all
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>deny_iana_hardware</name>
      <module-name>iana-hardware</module-name>
      <access-operations>update create delete exec</access-operations>
      <action>deny</action>
      <comment>
             Do not allow sudo any access to the netconf
             monitoring information.
         </comment>
    </rule>
    <rule>
      <name>permit_iana_hardware</name>
      <module-name>iana-hardware</module-name>
      <access-operations>read</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group  access to some
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>permit_ietf_hardware</name>
      <module-name>ietf-hardware</module-name>
      <access-operations>*</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group  access to some
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>deny_ietf_interfaces</name>
      <module-name>ietf-interfaces</module-name>
      <access-operations>exec</access-operations>
      <action>deny</action>
      <comment>
             Do not allow sudo any access to the netconf
             monitoring information.
         </comment>
    </rule>
    <rule>
      <name>permit_ietf_interfaces</name>
      <module-name>ietf-interfaces</module-name>
      <access-operations>update create delete read</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group  access to some
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>deny_ietf_ip</name>
      <module-name>ietf-ip</module-name>
      <access-operations>exec</access-operations>
      <action>deny</action>
      <comment>
             Do not allow sudo any access to the netconf
             monitoring information.
         </comment>
    </rule>
    <rule>
      <name>permit_ietf_ip</name>
      <module-name>ietf-ip</module-name>
      <access-operations>update create delete read</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group  access to some
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>deny_ietf_netconf_acm</name>
      <module-name>ietf-netconf-acm</module-name>
      <access-operations>exec</access-operations>
      <action>deny</action>
      <comment>
             Do not allow sudo any access to the netconf
             monitoring information.
         </comment>
    </rule>
    <rule>
      <name>permit_ietf_netconf_acm</name>
      <module-name>ietf-netconf-acm</module-name>
      <access-operations>update create delete read</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group  access to some
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>deny_ietf_yang_library</name>
      <module-name>ietf-yang-library</module-name>
      <access-operations>update create delete</access-operations>
      <action>deny</action>
      <comment>
             Do not allow sudo any access to the netconf
             monitoring information.
         </comment>
    </rule>
    <rule>
      <name>permit_ietf_yang_library</name>
      <module-name>ietf-yang-library</module-name>
      <access-operations>exec read</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group  access to some
             operations and data.
         </comment>
    </rule>
    <rule>
      <name>deny_ietf_netconf_monitoring</name>
      <module-name>ietf-netconf-monitoring</module-name>
      <access-operations>update create delete</access-operations>
      <action>deny</action>
      <comment>
             Do not allow sudo any access to the netconf
             monitoring information.
         </comment>
    </rule>
    <rule>
      <name>permit_ietf_netconf_monitoring</name>
      <module-name>ietf-netconf-monitoring</module-name>
      <access-operations>exec read</access-operations>
      <action>permit</action>
      <comment>
             Allow the sudo group  access to some
             operations and data.
         </comment>
    </rule>
  </rule-list>
  <denied-operations>0</denied-operations>
  <denied-data-writes>0</denied-data-writes>
  <denied-notifications>0</denied-notifications>
</nacm>

netopeer2-server (and the cli as well) was started with an user with those ids:

uid=1000(user) gid=7730(guest) groups=7730(guest)

I noticed that as soon as I moved that user to another group, it didn't have the NACM issue again: uid=1000(user) gid=7730(group_name_container) groups=7730(group_name_container)

So I was wondering how do you infer the user & group when you run with the unix socket mode ? It looks like to me when I was logged as "user" but with the group "guest", I actually received the NACM error because I fell in the NACM rule "guest" which is restricted. Then when I used another group name, it worked, maybe because it used the "user" identifier to put me in one of the NACM groups with permission ?

Do you have more details about the NACM feature and how it infers the user connected in unix mode ?

I tried searching in the code but without success so far !

[michalvasko]

The user name is inferred here when accepting a UNIX socket connection.

[Krisscut]

Ok but then it would mean it uses the user ID only. How does it explain that when changing the group it seems to fix my issue ?

At the some point, does it infer the nacm group based on the (Linux) group name of the current user as well ? From my understanding it shouldn't but it was my conclusion based on the things I attempted.

[michalvasko]

If enable-external-groups (YANG ietf-netconf-acm) is true, the system groups of the user are used when evaluating NACM.

[Krisscut]

Ok thanks !

We don't specify this leaf and I see it default to true, so that explains the behavior. Thanks a lot for the feedback.