search

ntop / n2n

Peer-to-peer VPN
GNU General Public License v3.0
6.14k stars 928 forks source link

Supernode and edge without sudo privelage #1049

Open RandomForestGump opened 1 year ago

RandomForestGump commented 1 year ago

The n2n documentation mentions that supernode can be run as a process without sudo privelages.

I tried to do the same since my problem requires to set up n2n automatically on newly created EC-2 instances through a non root user.

I am using n2n-3.0 stable build and compiling from source.

I am getting the following error:

`supernode -p 5605 -f -v

[supernode.c:588] WARNING: using default federation name; FOR TESTING ONLY, usage of a custom federation name (-F) is highly recommended!

[sn_utils.c:120] started shared secrets calculation for edge authentication

[sn_utils.c:136] calculated shared secrets for edge authentication

[supernode.c:604] supernode is listening on UDP 5605 (main)

[supernode.c:613] supernode opened TCP 5605 (aux)

[supernode.c:620] supernode is listening on TCP 5605 (aux)

[supernode.c:629] supernode is listening on UDP 5645 (management)

[supernode.c:641] dropping privileges to uid=99, gid=99

[supernode.c:647] ERROR: unable to drop privileges [1/Operation not permitted]`

The command works perfectly with sudo though. Can anyone please help with this?

hamishcoleman commented 1 year ago

Unfortunately, the v3.0 release explicitly checks if you are root. Functionally, it doesnt need root access and this restriction was removed shortly after the release - but only included in the 3.1 branch (954547a9c12e72daea65b2e01b77200f2506aedb is the commit)

RandomForestGump commented 1 year ago

I tried to make the supernode work with this commit and it works. But having similar permission issues while starting an edge device from the server.

Can you please help with confirming if starting an edge device would require sudo permissions or not since this commit only changes supernode.c?

hamishcoleman commented 1 year ago

Indeed, this patch does not change the permissions required for running the edge.

There are generally some permissions needed for the edge daemon as it will need to setup the ip address. It is possible to manually create the tuntap device and allow an unprivileged uid to access it, but you would also need to configured the IP address manually, which may be difficult to interoperate with other nodes using the auto-address assignment.

RandomForestGump commented 1 year ago

Thanks Hamish for answering the questions, since my application (The application is simply using n2n to enable multicast between AWS instances) doesn't really have sudo permissions, I might have to explore the way you're suggesting. I'll search on the same, but in case you have any materials/ links on the same or some reference knowledge, I would be really grateful.