Project

General

Profile

Actions

Support #3126

closed

Suricata can't drop privilages on Debian 10

Added by Daniel Vein over 4 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Affected Versions:
Label:

Description

user@debian:~$ suricata --build-info
This is Suricata version 4.1.4 RELEASE
Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LIBJANSSON TLS MAGIC RUST
SIMD support: SSE_4_2 SSE_4_1 SSE_3
Atomic intrisics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 8.3.0, C version 199901
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.30, linked against LibHTP v0.5.30

Suricata Configuration:
AF_PACKET support: yes
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: yes
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no

Unix socket enabled:                     yes
Detection enabled: yes
Libmagic support:                        yes
libnss support: yes
libnspr support: yes
libjansson support: yes
liblzma support: no
hiredis support: no
hiredis async with libevent: no
Prelude support: no
PCRE jit: yes
LUA support: no
libluajit: no
libgeoip: yes
Non-bundled htp: no
Old barnyard2 support: no
Hyperscan support: yes
Libnet support: yes
liblz4 support: no
Rust support:                            yes (default)
Rust strict mode: no
Rust debug mode: no
Rust compiler: rustc 1.34.2
Rust cargo: cargo 1.34.0
Install suricatasc:                      yes
Install suricata-update: yes
Profiling enabled:                       no
Profiling locks enabled: no

Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no

Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/

--prefix                                 /usr
--sysconfdir /etc
--localstatedir /var
--datarootdir /usr/share
Host:                                    x86_64-pc-linux-gnu
Compiler: gcc (exec name) / gcc (real)
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS g -O2 -march=native -I${srcdir}/../rust/gen/c-headers
PCAP_CFLAGS -I/usr/include
SECCFLAGS
-----------------------------------------------------------------------------------------------------------------------------------------

root@sdebian:/etc/suricata# suricata c suricata.yaml -q 0 --user=suri --group=suri
25/8/2019 -
16:15:10 - <Notice> - This is Suricata version 4.1.4 RELEASE
25/8/2019 -- 16:15:10 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/etc/suricata/classification.config": Permission denied
25/8/2019 -- 16:15:10 - <Error> - [ERRCODE: SC_ERR_OPENING_FILE(40)] - please check the "classification-file" option in your suricata.yaml file
25/8/2019 -- 16:15:10 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/etc/suricata/reference.config": Permission denied
25/8/2019 -- 16:15:10 - <Error> - [ERRCODE: SC_ERR_OPENING_FILE(40)] - please check the "reference-config-file" option in your suricata.yaml file
25/8/2019 -- 16:15:10 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/suricata.rules
25/8/2019 -- 16:15:10 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
25/8/2019 -- 16:15:10 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/etc/suricata//threshold.config": Permission denied
25/8/2019 -- 16:15:10 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - Cannot create socket directory /var/run/suricata/: Permission denied
25/8/2019 -- 16:15:10 - <Warning> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - Unable to create unix command socket
25/8/2019 -- 16:15:10 - <Notice> - all 10 packet processing threads, 4 management threads initialized, engine started.
^C25/8/2019 -- 16:15:46 - <Notice> - Signal Received. Stopping engine.
25/8/2019 -- 16:15:47 - <Notice> - (RX-Q0) Treated: Pkts 0, Bytes 0, Errors 0
25/8/2019 -- 16:15:47 - <Notice> - (RX-Q0) Verdict: Accepted 0, Dropped 0, Replaced 0

Actions #1

Updated by Peter Manev over 4 years ago

It seems you get a lot of permission errors maybe you could adjust that?
I dont have an issue in dropping privileges like so-

/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D -v --user=logstash

and the user logstash is allowed to write in the log folder.

Actions #2

Updated by Daniel Vein over 4 years ago

I tried your way but still no go, same errors. I then tried to correct permissions (which I'm not sure is the correct way to handle dropping privileges?) I was able to get most of the errors cleared except it won't load rules. FYI it works fine if I don't supply user or group

root@debian:/etc/suricata# /usr/bin/suricata c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -q 0 -v --user=suri --group=suri
28/8/2019 -
18:20:30 - <Notice> - This is Suricata version 4.1.4 RELEASE
28/8/2019 -- 18:20:30 - <Info> - CPUs/cores online: 8
28/8/2019 -- 18:20:30 - <Info> - NFQ running in standard ACCEPT/DROP mode
28/8/2019 -- 18:20:30 - <Info> - dropped the caps for main thread
28/8/2019 -- 18:20:30 - <Info> - fast output device (regular) initialized: fast.log
28/8/2019 -- 18:20:30 - <Info> - eve-log output device (regular) initialized: eve.json
28/8/2019 -- 18:20:30 - <Info> - stats output device (regular) initialized: stats.log
28/8/2019 -- 18:20:30 - <Info> - Running in live mode, activating unix socket
28/8/2019 -- 18:20:30 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/suricata.rules
28/8/2019 -- 18:20:30 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
28/8/2019 -- 18:20:30 - <Info> - Threshold config parsed: 0 rule(s) found
28/8/2019 -- 18:20:30 - <Info> - 0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
28/8/2019 -- 18:20:30 - <Info> - binding this thread 0 to queue '0'
28/8/2019 -- 18:20:30 - <Info> - setting queue length to 4096
28/8/2019 -- 18:20:30 - <Info> - setting nfnl bufsize to 6144000
28/8/2019 -- 18:20:30 - <Info> - Running in live mode, activating unix socket
28/8/2019 -- 18:20:30 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
28/8/2019 -- 18:20:30 - <Notice> - all 10 packet processing threads, 4 management threads initialized, engine started.
^C28/8/2019 -- 18:20:42 - <Notice> - Signal Received. Stopping engine.
28/8/2019 -- 18:20:43 - <Info> - time elapsed 12.349s
28/8/2019 -- 18:20:43 - <Notice> - (RX-Q0) Treated: Pkts 0, Bytes 0, Errors 0
28/8/2019 -- 18:20:43 - <Notice> - (RX-Q0) Verdict: Accepted 0, Dropped 0, Replaced 0
28/8/2019 -- 18:20:43 - <Info> - Alerts: 0
28/8/2019 -- 18:20:43 - <Info> - cleaning up signature grouping structure... complete

Actions #3

Updated by Andreas Herz over 4 years ago

  • Tracker changed from Bug to Support
  • Assignee set to Community Ticket
  • Target version set to TBD

What does ls -lisah /var/lib/suricata/rules/suricata.rules say?

Actions #4

Updated by Alexander Gozman over 4 years ago

CAP_DAC_OVERRIDE (or smth like this) is missing. Unfortunately, the way suricata deals with capabilities is not convenient to fix the issue (or maybe I just do not know a proper way :) The most simple thing to do is to add CAP_DAC_OVERRIDE to SCDropMainThreadCaps(), is it ok (it does the trick)?

Actions #6

Updated by Jeff Lucovsky over 4 years ago

Overriding all DAC check seems like overkill.

What are the permission/ownership of

/var/lib/suricata/rules/suricata.rules
?

Actions #7

Updated by Daniel Vein over 4 years ago

Sorry to get back so late but my hardrive failed... could be part the issue. I decided to use debians suricata package instead of building but that is giving me problems with dropping privileges I'll open a community ticket

Actions #8

Updated by Andreas Herz over 3 years ago

  • Status changed from New to Closed

Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs

Actions

Also available in: Atom PDF