Bug #1271
closedCreating core dump with dropped privileges
Description
I'm not sure if it's a bug or just a normal behaviour, but if i use another user for suricata (suri:suri for example) instead of root, i get
10/9/2014 -- 10:41:07 - <Info> - Core dump size is unlimited. 10/9/2014 -- 10:41:07 - <Info> - dropped the caps for main thread
So i guess with dropping the caps it looses the possibility to create a coredump. When i use root as user, it works.
Updated by Peter Manev about 9 years ago
Can you confirm that this is not related to permissions?
Example - the user "suricata" has no permissions to write in the coredump directory defined in suricata.yaml?
thanks
Updated by Andreas Herz about 9 years ago
Peter Manev wrote:
Can you confirm that this is not related to permissions?
Example - the user "suricata" has no permissions to write in the coredump directory defined in suricata.yaml?
How can i set the dir in the .yaml? couldn't find any documentation related to this.
I have the following in /etc/sysctl.conf and loaded it (for testing purpose):
kernel.core_pattern = /var/log/suricata/core_%e_%p_%s_%t
Since the folder is owned by suricata and it can write the logfiles (fast.log etc.) i doubt a permission issue.
Updated by Peter Manev about 9 years ago
# Daemon working directory
section in suricata.yaml
Updated by Andreas Herz about 9 years ago
Nothing defined, since it's not run in -D mode :)
Config is found here: http://paste.geekosphere.org/ZqatQTf8XLm6dRya (except that for the cap test the user part is changed from root to suricata and group as well)
Updated by Andreas Herz almost 9 years ago
Not sure if it's directly related but i have the same issue with the pidfile.
suricata -c /etc/suricata/suricata-eth4.conf -q 0 --pidfile /tmp/suricata-eth4.pid
When i have user "root" in the .conf i get the pid file created and deleted after suricata quits.
When i have another user like "suricata" i get the pid file created but not deleted after suricata quits.
I start suricata as "root" user in the shell (or via script), so i let suricata drop the privileges.
Updated by Andreas Herz almost 9 years ago
drwxrwxrwt 3 root root 27K Nov 6 09:12 tmp
Updated by Peter Manev almost 9 years ago
Is that the case only when you use " -q 0 " ?
Updated by Andreas Herz almost 9 years ago
Also with just "-i ethX" the pidfile is not deleted. In "-D" mode i can't say it for sure, since sending "kill -s TERM" is resulting in "Signal Received. Stopping engine." but doesn't stop suricata, it keeps running.
Updated by Peter Manev almost 9 years ago
For testing coredump - can you try:
sudo kill -n ABRT `pidof suricata`
instead of kill -s TERM
On a separate note.
If there is no traffic coming on to the listening interface Suricata will not exit - as you describe. Can you confirm this is the case - when you stop Suricata there is no traffic on the interface?
thanks
Updated by Andreas Herz almost 9 years ago
Using ABRT results in suricata being stopped but no coredump file and the pidfile not removed.
I tested it with and without traffic, behaviour didn't change.
If i start suricata without "-D" like this:
/usr/sbin/suricata -c /etc/suricata/suricata-eth4.conf -i eth4 --pidfile /tmp/suricata-test.pid
And after engine is started and i press CTRL+c i'm also stuck at the signal received/stopping engine part, even as root:root without dropping privileges.
Updated by Peter Manev almost 9 years ago
I can confirm that actually (for 2.1beta2) - when running as a user - I can not get it to get a coredump.
Updated by Andreas Herz over 7 years ago
- Assignee set to Andreas Herz
- Target version set to TBD
Updated by Andreas Herz over 7 years ago
And still an issue with 3.0 as well btw
Updated by Elazar Broad over 5 years ago
Possible solution: https://github.com/OISF/suricata/pull/3362
Updated by Andreas Herz about 5 years ago
- Assignee changed from Andreas Herz to Anonymous
Updated by Andreas Herz about 4 years ago
There is some new discussion on this, see the linked PR
Updated by Victor Julien about 4 years ago
- Tracker changed from Bug to Feature
- Status changed from New to Closed
- Assignee changed from Community Ticket to Jason Ish
- Priority changed from Low to Normal
- Target version changed from TBD to 5.0rc1