core: add support for temporary privilege drop and elevation
Added "user" and "group" options to general section of configuration file.
NFD will attempt to set the effective group and user id to these values
after initializing all management modules.
Added privilege helper to drop and temporarily elevate privileges on demand.
Updated README.md with instructions to configure NFD to drop privileges.
Added handler for general confguration file section.
refs: #1370
Change-Id: Id27140ad2dc2ca14751058691511132a35649d58
diff --git a/docs/FAQ.rst b/docs/FAQ.rst
index 6004e85..e0b3ce9 100644
--- a/docs/FAQ.rst
+++ b/docs/FAQ.rst
@@ -69,6 +69,32 @@
How to run NFD as non-root user?
--------------------------------
+How to configure automatic dropping of privileges?
+++++++++++++++++++++++++++++++++++++++++++++++++++
+
+NFD can be configured to drop privileges whenever possible. You can specify a user and/or
+group for NFD to change its *effective* user/group ID to in the ``general`` section of the
+configuration file. For example:
+
+::
+
+ general
+ {
+ user nobody
+ group nogroup
+ }
+
+will configure NFD to drop its effective user and group IDs to ``nobody`` and ``nogroup``,
+respectively.
+
+.. note::
+
+ **IMPORTANT:** NFD may regain elevated permissions as needed during normal
+ execution. Dropping privileges in this manner should not be considered a security
+ mechanism (a compromised NFD that was started as root can trivially return to
+ root). However, reducing privileges may limit any damaged caused by well intentioned,
+ but buggy, code.
+
How to enable Ethernet Face Support?
++++++++++++++++++++++++++++++++++++