Closed Krisscut closed 1 year ago
The user name is inferred here when accepting a UNIX socket connection.
Ok but then it would mean it uses the user ID only. How does it explain that when changing the group it seems to fix my issue ?
At the some point, does it infer the nacm group based on the (Linux) group name of the current user as well ? From my understanding it shouldn't but it was my conclusion based on the things I attempted.
If enable-external-groups
(YANG ietf-netconf-acm) is true
, the system groups of the user are used when evaluating NACM.
Ok thanks !
We don't specify this leaf and I see it default to true, so that explains the behavior. Thanks a lot for the feedback.
Hi,
Today I investigated an issue where I was receiving a lot of error messages due to the NACM:![image](https://github.com/CESNET/netopeer2/assets/8125922/6853a925-6114-4cc0-a2e6-5159d54fdbed)
We are running netopeer2-server with the Unix socket option added (-U), and then after the initial startup we tried to connect through this unix socket with the connect --unix cmd.
On the server side, NACM was configured with the following:
netopeer2-server (and the cli as well) was started with an user with those ids:
I noticed that as soon as I moved that user to another group, it didn't have the NACM issue again:
uid=1000(user) gid=7730(group_name_container) groups=7730(group_name_container)
So I was wondering how do you infer the user & group when you run with the unix socket mode ? It looks like to me when I was logged as "user" but with the group "guest", I actually received the NACM error because I fell in the NACM rule "guest" which is restricted. Then when I used another group name, it worked, maybe because it used the "user" identifier to put me in one of the NACM groups with permission ?
Do you have more details about the NACM feature and how it infers the user connected in unix mode ?
I tried searching in the code but without success so far !