CV
Something similar is also seen for 'tcpdump' utility - where the utility drops privileges to the tcpdump user.
Solutions
ntopng failing on NetRxOpen call
2017-11-07 13:47
The ntopng application can interface to the Napatech SmartNIC via the libpcap interface.
Depending on how the Napatech 3GD driver has been setup/installed, the user may face a "NetRxOpen failed" error upon starting ntopng:-
# LD_PRELOAD=/opt/napatech3/lib/libpcap.so ./ntopng -i napa1
07/Nov/2017 14:43:01 [Ntop.cpp:1435] Setting local networks to 127.0.0.0/8
07/Nov/2017 14:43:01 [Redis.cpp:111] Successfully connected to redis 127.0.0.1:6379@0
07/Nov/2017 14:43:01 [Redis.cpp:111] Successfully connected to redis 127.0.0.1:6379@0
07/Nov/2017 14:43:02 [PcapInterface.cpp:88] Reading packets from interface napa1...
07/Nov/2017 14:43:02 [PcapInterface.cpp:93] WARNING: Unable to set packet capture direction
07/Nov/2017 14:43:02 [Ntop.cpp:1561] Registered interface napa1 [id: 1]
07/Nov/2017 14:43:02 [main.cpp:312] PID stored in file /var/run/ntopng.pid
07/Nov/2017 14:43:02 [HTTPserver.cpp:839] HTTPS Disabled: missing SSL certificate /root/ntop/ntopng/httpdocs/ssl/ntopng-cert.pem
07/Nov/2017 14:43:02 [HTTPserver.cpp:841] Please read https://github.com/ntop/ntopng... if you want to enable SSL.
07/Nov/2017 14:43:02 [Utils.cpp:449] WARNING: Groups[0] 0
07/Nov/2017 14:43:02 [Utils.cpp:462] User changed to cve_test
07/Nov/2017 14:43:02 [Utils.cpp:474] WARNING: Groups[0] 0
07/Nov/2017 14:43:02 [Utils.cpp:484] WARNING: Groups[0] 0
07/Nov/2017 14:43:02 [HTTPserver.cpp:912] Web server dirs [/root/ntop/ntopng/httpdocs][/root/ntop/ntopng/scripts]
07/Nov/2017 14:43:02 [HTTPserver.cpp:915] HTTP server listening on port(s) 3000
07/Nov/2017 14:43:02 [main.cpp:394] Working directory: /home/cve_test/tmp
07/Nov/2017 14:43:02 [main.cpp:396] Scripts/HTML pages directory: /root/ntop/ntopng
07/Nov/2017 14:43:02 [Ntop.cpp:349] Welcome to ntopng x86_64 v.3.1.171107 - (C) 1998-17 ntop.org
07/Nov/2017 14:43:02 [Ntop.cpp:359] Built on CentOS Linux release 7.4.1708 (Core)
07/Nov/2017 14:43:02 [PeriodicActivities.cpp:51] Started periodic activities loop...
07/Nov/2017 14:43:02 [NetworkInterface.cpp:2331] Started packet polling on interface napa1 [id: 1]...
NT: ./pcap-napatech-3g.c 1417: napatech_pcap_read_segment: NetRxOpen failed ((NTE_MODULE_NTIPC_CON):IPC connect socket failed)
- The ‘napatech’ system group is present in the system
- The ‘root’ user is not member of the ‘napatech’ group
The reason for the problem is that the ntopng application attempts to drop user privileges to another user, by default this is the ‘nobody’ user.
Upon doing so, the application will retain any supplementary group memberships that the initial user has (in the typical case, this is the root user) – and if the root user is not member of the napatech group, then after dropping privileges, the application is not allowed to access the Napatech SmartNIC device, since when ‘napatech’ group is present, the Napatech 3GD driver will use this group to control which users can access the SmartNIC.
Solutions:
- One option is not to have the ‘napatech’ group present in your system. This way, after a restart of the ntservice, any user can access the Napatech SmartNIC.
- Another option is to add the root to the ‘napatech’ group. This way, the 'nobody' user will inherit the group membership when the privileges are dropped
