On Mon, 28 Nov 2016 11:26:04 +0100 Arturo Borrero Gonzalez <art...@debian.org> wrote: > > I will do some tests in my side too when the release happens. >
Here my tests using 3.2.1-1~bpo8+1: A fresh debian jessie system with jessie-backports enabled. I added 'suri' user and 'suri' groups to the system: % sudo adduser --system suri % sudo addgroup --system suri % sudo adduser suri suri I edited /etc/suricata/suricata.yaml and set: run-as: user: suri group: suri Then I checked /var/log/suricata/. The files there belong, by default installation, to root. I tried to start suricata by issuing: % sudo systemctl start suricata The logs show: [...] 24/4/2017 -- 11:08:07 - <Info> - dropped the caps for main thread 24/4/2017 -- 11:08:07 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/var/log/suricata//fast.log": Permission denied 24/4/2017 -- 11:08:07 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module setup failed 24/4/2017 -- 11:08:07 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/var/log/suricata//eve.json": Permission denied 24/4/2017 -- 11:08:07 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module setup failed 24/4/2017 -- 11:08:07 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/var/log/suricata//stats.log": Permission denied 24/4/2017 -- 11:08:07 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module setup failed 24/4/2017 -- 11:08:07 - <Info> - Going to use 8 thread(s) 24/4/2017 -- 11:08:07 - <Info> - Using unix socket file '/var/run/suricata-command.socket' 24/4/2017 -- 11:08:07 - <Warning> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - Unix socket: UNIX socket bind(/var/run/suricata-command.socket) error: Address already in use 24/4/2017 -- 11:08:07 - <Warning> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - Unable to create unix command socket 24/4/2017 -- 11:08:07 - <Notice> - all 8 packet processing threads, 4 management threads initialized, engine started. So, suricata fails to open the log files, since they belong to root. Also, suricata fails to open the unix socket, since /var/run/ is also a protected directory. BTW, shortly after these messages, suricata seeems to enter a loop (100% CPU consumed): [...] 24/4/2017 -- 11:08:07 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:08:07 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:08:07 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:08:07 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:08:07 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:08:07 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:08:07 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:08:07 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:08:07 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:08:07 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:08:07 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:08:07 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:08:07 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:08:07 - <Info> - Unix socket: accept() error: Invalid argument [...] which is clearly not good. What if I change the /var/log/suricata permissions? % sudo chown suri:suri /var/log/suricata/* Starting suricata: [...] 24/4/2017 -- 11:11:28 - <Info> - dropped the caps for main thread 24/4/2017 -- 11:11:28 - <Info> - fast output device (regular) initialized: fast.log 24/4/2017 -- 11:11:28 - <Info> - eve-log output device (regular) initialized: eve.json 24/4/2017 -- 11:11:28 - <Info> - stats output device (regular) initialized: stats.log 24/4/2017 -- 11:11:28 - <Info> - Going to use 8 thread(s) 24/4/2017 -- 11:11:29 - <Info> - Using unix socket file '/var/run/suricata-command.socket' 24/4/2017 -- 11:11:29 - <Warning> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - Unix socket: UNIX socket bind(/var/run/suricata-command.socket) error: Address already in use 24/4/2017 -- 11:11:29 - <Warning> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - Unable to create unix command socket 24/4/2017 -- 11:11:29 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:11:29 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:11:29 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:11:29 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:11:29 - <Notice> - all 8 packet processing threads, 4 management threads initialized, engine started. 24/4/2017 -- 11:11:29 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:11:29 - <Info> - Unix socket: accept() error: Invalid argument [...] It seems this solves the log opening issues. But still, the unix socket problem is the same. A solution to avoid the problems with the unix socket with the current suricata code would be to use a different path for it, a path which is under control of the admin and could be safely switched the ownership. I haven't investigated further this way. If I disable privilege dropping, all seems good: [...] 24/4/2017 -- 11:19:52 - <Info> - Going to use 8 thread(s) 24/4/2017 -- 11:19:52 - <Info> - Using unix socket file '/var/run/suricata-command.socket' 24/4/2017 -- 11:19:52 - <Notice> - all 8 packet processing threads, 4 management threads initialized, engine started. 24/4/2017 -- 11:19:52 - <Info> - All AFP capture threads are running. [...] It seems the logs handling is not the only challenge when dropping the privileges and it seems that a bit more work is required in order to successfully run suricata with privilege dropping. Will report further as soon as I have more news regarding this subject. I will send this information upstream as well.
