-
Notifications
You must be signed in to change notification settings - Fork 231
Setup User Permissions
This page describes how to setup the appropriate permissions so that it allows Gatekeeper to turn to a constrained user after the boot. Specifically, we run Gatekeeper as root and change it to a user specified in Lua configuration.
This is important due to two main reasons: (1) depending on which user we are using to run Gatekeeper/Grantor, we may need to change owner and access mode of the log file just created; (2) a limited user after the boot scopes how much bad stuff can be done if Gatekeeper/Grantor servers can ever be remotely compromised.
According to the discussion on Running DPDK as non-root in DPDK mailing list, we know that DPDK only needs the physical address to set up a memory map. So after proper mapping, DPDK is just using virtual addresses.
One can specify the user that will run Gatekeeper after it boots in lua/net.lua by changing the user variable. If this parameter is left undefined (i.e. nil), Gatekeeper will run as the user it is called, which is typically the root user.
One can specify the access mode in octal that Gatekeeper should set on log files after it boots via command line parameter: --log-file-mode <val>. The default mode is S_IRUSR | S_IWUSR, i.e., read and write by owner.
The permissions of the UNIX socket file created by the Dynamic Configuration block can be specified by the variable mode in lua/dyn_cfg.lua.