Bug #2337
opengive warning if permissions won't allow log reopen after dropping privs
Description
If we drop privs files that we could open as root might not be readable and writable anymore. We should be able to detect this during startup and warn the user.
This applies to the log files like eve and fast.log, but also to suricata.log for engine messages.
Updated by Victor Julien about 7 years ago
- Status changed from New to Assigned
- Assignee set to Richard Sailer
- Target version set to 70
Updated by Richard Sailer about 7 years ago
I would like to create and work on two, extra but related issues which are:
- Change owner of unix domain socket before priviledge drop
- Change owner of file extraction dir before priviledge drop
Any objections? There are perhaps more related issues.
Updated by Jason Ish about 7 years ago
Richard Sailer wrote:
Richard Sailer wrote:
I would like to create and work on two extra but related issues which are:
- Change owner of unix domain socket before priviledge drop
- Change owner of file extraction dir before priviledge drop
Any objections? There are perhaps more related issues.
No objections here. With respect to the warning if permissions won't allow a re-open, I think I'd also want to the exit with --init-errors-fatal.
Also, in such cases we should see about moving the first open to a point after the privileges are dropped, so it fails out on first startup, rather than after a log rotate.
Updated by Richard Sailer about 7 years ago
What do you think about simply changing the owner of the log dir and files to the user we will become,
just before the privilege drop?
This would be a simpler implementation than testing+warning, and nicer/less work for the admin.
Updated by Richard Sailer about 7 years ago
- Related to Bug #2373: unix domain socket owner stays root when priviledges dropped added
Updated by Jason Ish about 7 years ago
Richard Sailer wrote:
What do you think about simply changing the owner of the log dir and files to the user we will become,
just before the privilege drop?
While I like this idea, I wonder what package maintainers, in particular for Fedora/Centos and Debian/Ubuntu would think of that.
This would be a simpler implementation than testing+warning, and nicer/less work for the admin.
While it might be nicer, would it still be worthwhile to do this for the case when not running as root? Might give us better error messages if we don't have write access to the log directory. For example, on FreeBSD/OpenBSD I believe non-root usage can be done just by tweaking the privileges on the /dev/bpf devices. So there you could have Suricata running as a user that can run in live mode, but not log?
Updated by Victor Julien about 7 years ago
- Related to Bug #2386: check if default log dir is writable at start up added
Updated by Andreas Herz almost 6 years ago
- Assignee changed from Richard Sailer to OISF Dev