Project

General

Profile

Actions

Bug #2337

open

give warning if permissions won't allow log reopen after dropping privs

Added by Victor Julien almost 7 years ago. Updated over 5 years ago.

Status:
Assigned
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

If we drop privs files that we could open as root might not be readable and writable anymore. We should be able to detect this during startup and warn the user.

This applies to the log files like eve and fast.log, but also to suricata.log for engine messages.


Related issues 2 (1 open1 closed)

Related to Suricata - Bug #2373: unix domain socket owner stays root when priviledges droppedFeedbackOISF DevActions
Related to Suricata - Bug #2386: check if default log dir is writable at start upClosedShivani BhardwajActions
Actions #1

Updated by Victor Julien almost 7 years ago

  • Description updated (diff)
Actions #2

Updated by Victor Julien almost 7 years ago

  • Status changed from New to Assigned
  • Assignee set to Richard Sailer
  • Target version set to 70
Actions #3

Updated by Richard Sailer almost 7 years ago

I would like to create and work on two, extra but related issues which are:

  1. Change owner of unix domain socket before priviledge drop
  2. Change owner of file extraction dir before priviledge drop

Any objections? There are perhaps more related issues.

Actions #4

Updated by Jason Ish almost 7 years ago

Richard Sailer wrote:

Richard Sailer wrote:

I would like to create and work on two extra but related issues which are:

  1. Change owner of unix domain socket before priviledge drop
  2. Change owner of file extraction dir before priviledge drop

Any objections? There are perhaps more related issues.

No objections here. With respect to the warning if permissions won't allow a re-open, I think I'd also want to the exit with --init-errors-fatal.

Also, in such cases we should see about moving the first open to a point after the privileges are dropped, so it fails out on first startup, rather than after a log rotate.

Actions #5

Updated by Richard Sailer almost 7 years ago

What do you think about simply changing the owner of the log dir and files to the user we will become,
just before the privilege drop?

This would be a simpler implementation than testing+warning, and nicer/less work for the admin.

Actions #6

Updated by Richard Sailer almost 7 years ago

  • Related to Bug #2373: unix domain socket owner stays root when priviledges dropped added
Actions #7

Updated by Jason Ish almost 7 years ago

Richard Sailer wrote:

What do you think about simply changing the owner of the log dir and files to the user we will become,
just before the privilege drop?

While I like this idea, I wonder what package maintainers, in particular for Fedora/Centos and Debian/Ubuntu would think of that.

This would be a simpler implementation than testing+warning, and nicer/less work for the admin.

While it might be nicer, would it still be worthwhile to do this for the case when not running as root? Might give us better error messages if we don't have write access to the log directory. For example, on FreeBSD/OpenBSD I believe non-root usage can be done just by tweaking the privileges on the /dev/bpf devices. So there you could have Suricata running as a user that can run in live mode, but not log?

Actions #8

Updated by Victor Julien almost 7 years ago

  • Related to Bug #2386: check if default log dir is writable at start up added
Actions #9

Updated by Andreas Herz almost 6 years ago

  • Assignee changed from Richard Sailer to OISF Dev
Actions #10

Updated by Andreas Herz over 5 years ago

  • Target version changed from 70 to TBD
Actions

Also available in: Atom PDF