Permissioning of *.conf files?

[jradxl]

In the same way as ~/.ssh/id_rsa is locked down to user, I wanted to do the same to /etc/n2n

I find that Edge has no issues with reading the edge.conf file owned as root, but Supernode complains. There is nothing in edge.service or supernode.service to tell the processes to change to the n2n user. Is this hard-coded in the executables?

I find that I need to change permissions to:-

# ls -al /etc/n2n/
total 28
drwxr-x---   2 root n2n   4096 Mar 16 18:34 .
drwxr-xr-x 119 root root 12288 Mar 15 18:51 ..
-rw-r-----   1 root n2n    354 Mar 16 00:29 communities.list
-rw-------   1 root root   317 Mar 16 14:51 edge.conf
-rw-r-----   1 root n2n    160 Mar 16 16:07 supernode.conf

Why the different behaviour? The way Edge works was what I was expecting. Thx

# id n2n
uid=995(n2n) gid=995(n2n) groups=995(n2n)

Version: n2n_3.0.0-1038_amd64.deb WARNING: n2n has not been compiled with libcap-dev; some commands may fail

I'll have a go at guessing answer.... Edge is compiled (by you) without libcap-dev, so needs to be root to create Interface, before switching to n2n. Supernode doesn't so I guess (sadly) that it switches before it tries to read the two config files. Pity!

[hamishcoleman]

If anything, in the future we would want to reduce the permissions provided to the daemons - The supernode can be run with no privs at all, and the edge can do this with some small setup, so I would not build anything that relied on the daemon needing root access to read its config files.

The libcap-dev message is purely a warning - it doesnt have much (if any, I didnt check the code) effect on the steps you are performing. The autobuild process that created this deb package is intentionally building a package with the least number of additional dependancies, so it leaves out the libcap library.