You unprivileged user needs to be able to create and used a shared memory
segment.
- Peter
On 18/8/10 12:04 PM, Borja Ruiz wrote:
>
> Hi Guys
>
> Hi have problems running nfcapd with a unprivileged user. Here's the
> output of /var/log/messages:
>
> Aug 18 11:56:04 logserver nfcapd[32625]: Add extension: 2 byte
> input/output interface index
> Aug 18 11:56:04 logserver nfcapd[32625]: Add extension: 4 byte
> input/output interface index
> Aug 18 11:56:04 logserver nfcapd[32625]: Add extension: 2 byte src/dst
> AS number
> Aug 18 11:56:04 logserver nfcapd[32625]: Add extension: 4 byte src/dst
> AS number
> Aug 18 11:56:04 logserver nfcapd[32625]: Bound to IPv4 host/IP: any,
> Port: 1234567
> Aug 18 11:56:04 logserver nfcapd[32625]: Access denied to collector
> bookkeeping record.
> Aug 18 11:56:04 logserver nfcapd[32625]: initialize bookkeeper failed.
>
> But when I run nfcapd with root user, I have no problems at all. I have
> looked through nfcapd code, and I can see that is a shared memory issue.
> I have tracked down the error msg to this lines of code:
>
>
> *** Bookkeeper.c, line 300 aprox:
>
> // check if the shared memory is already allocated
> shm_id = shmget(shm_key, sizeof(bookkeeper_t), 0600);
>
> if ( shm_id < 0 ) {
> // the segment does not exists. Check why
>
> switch (errno) {
> case ENOENT:
> // no shared segemtn exists.
> return ERR_NOTEXISTS;
> break;
> case EACCES:
> // there is such a segment, but we are not allowed to
> get it
> // Assume it's another nfcapd
> LogError("Access denied to collector bookkeeping
> record.");
> return ERR_FAILED;
> break;
> default:
> // This should never happen, but catch it anyway
> LogError("semop() error in %s line %d: %s", __FILE__,
> __LINE__, strerror(errno) );
> return ERR_FAILED;
> }
>
>
>
>
> *** Bookkeeper.c, line 200 aprox:
>
> // no valid shared segment was found
> switch (errno) {
> case ENOENT:
> // this is ok - no shared segemtn exists, we can
> create a new one below
> break;
> case EACCES:
> // there is such a segment, but we are not allowed to
> get it
> // Assume it's another nfcapd
> LogError("Access denied to collector bookkeeping
> record.");
> return ERR_EXISTS;
> break;
> default:
> // This should never happen, but catch it anyway
> LogError("semop() error in %s line %d: %s", __FILE__,
> __LINE__, strerror(errno) );
> return ERR_FAILED;
> }
>
>
>
> Maybe its a privs issue? If it is right, I think It can be a
> system-privs issue (its a hardly secured system).
>
> Thanks :-)
>
>
--
Be nice to your netflow data. Use NfSen and nfdump :)
------------------------------------------------------------------------------
This SF.net email is sponsored by
Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev
_______________________________________________
Nfdump-discuss mailing list
Nfdump-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfdump-discuss
