From: Vincent Bernat <bernat@luffy.cx>
Date: Sun, 16 Nov 2008 19:04:59 +0000 (+0100)
Subject: Document privilege separation
X-Git-Tag: 0.2~14
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=13dce469457d8cab6d1659d83da6d157251393c0;p=thirdparty%2Flldpd.git

Document privilege separation
---

diff --git a/README b/README
index 87deb7b2..1686de30 100644
--- a/README
+++ b/README
@@ -20,6 +20,14 @@ real physical devices, not on bridges, vlans, etc. However, vlans can
 be mapped on the bonding device. You can bridge vlan but not add vlans
 on bridges. More complex setups may give false results.
 
+lldpd uses privilege separation to increase its security. Two
+processes, one running as root and doing minimal stuff and the other
+running as an unprivileged user into a chroot doing most of the stuff,
+are cooperating. You need to create a user called "_lldpd" in a group
+"_lldpd" (this can be change with ./configure). You also need to
+create an empty directory "/var/run/lldpd" (it needs to be owned by
+root, not "_lldpd"!).
+
 lldpctl allows to query information collected through the command line.
 
 lldpd also implements CDP (Cisco Discovery Protocol), FDP (Foundry