Project

General

Profile

Support #3126

Suricata can't drop privilages on Debian 10

Added by Daniel Vein about 2 months ago. Updated 24 days ago.

Status:
New
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

user@debian:~$ suricata --build-info
This is Suricata version 4.1.4 RELEASE
Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LIBJANSSON TLS MAGIC RUST
SIMD support: SSE_4_2 SSE_4_1 SSE_3
Atomic intrisics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 8.3.0, C version 199901
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.30, linked against LibHTP v0.5.30

Suricata Configuration:
AF_PACKET support: yes
eBPF support: no
XDP support: no
PF_RING support: no
NFQueue support: yes
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
WinDivert enabled: no

Unix socket enabled:                     yes
Detection enabled: yes
Libmagic support:                        yes
libnss support: yes
libnspr support: yes
libjansson support: yes
liblzma support: no
hiredis support: no
hiredis async with libevent: no
Prelude support: no
PCRE jit: yes
LUA support: no
libluajit: no
libgeoip: yes
Non-bundled htp: no
Old barnyard2 support: no
Hyperscan support: yes
Libnet support: yes
liblz4 support: no
Rust support:                            yes (default)
Rust strict mode: no
Rust debug mode: no
Rust compiler: rustc 1.34.2
Rust cargo: cargo 1.34.0
Install suricatasc:                      yes
Install suricata-update: yes
Profiling enabled:                       no
Profiling locks enabled: no

Development settings:
Coccinelle / spatch: no
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no

Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/

--prefix                                 /usr
--sysconfdir /etc
--localstatedir /var
--datarootdir /usr/share
Host:                                    x86_64-pc-linux-gnu
Compiler: gcc (exec name) / gcc (real)
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS g -O2 -march=native -I${srcdir}/../rust/gen/c-headers
PCAP_CFLAGS -I/usr/include
SECCFLAGS
-----------------------------------------------------------------------------------------------------------------------------------------

root@sdebian:/etc/suricata# suricata c suricata.yaml -q 0 --user=suri --group=suri
25/8/2019 -
16:15:10 - <Notice> - This is Suricata version 4.1.4 RELEASE
25/8/2019 -- 16:15:10 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/etc/suricata/classification.config": Permission denied
25/8/2019 -- 16:15:10 - <Error> - [ERRCODE: SC_ERR_OPENING_FILE(40)] - please check the "classification-file" option in your suricata.yaml file
25/8/2019 -- 16:15:10 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/etc/suricata/reference.config": Permission denied
25/8/2019 -- 16:15:10 - <Error> - [ERRCODE: SC_ERR_OPENING_FILE(40)] - please check the "reference-config-file" option in your suricata.yaml file
25/8/2019 -- 16:15:10 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/suricata.rules
25/8/2019 -- 16:15:10 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
25/8/2019 -- 16:15:10 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/etc/suricata//threshold.config": Permission denied
25/8/2019 -- 16:15:10 - <Error> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - Cannot create socket directory /var/run/suricata/: Permission denied
25/8/2019 -- 16:15:10 - <Warning> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - Unable to create unix command socket
25/8/2019 -- 16:15:10 - <Notice> - all 10 packet processing threads, 4 management threads initialized, engine started.
^C25/8/2019 -- 16:15:46 - <Notice> - Signal Received. Stopping engine.
25/8/2019 -- 16:15:47 - <Notice> - (RX-Q0) Treated: Pkts 0, Bytes 0, Errors 0
25/8/2019 -- 16:15:47 - <Notice> - (RX-Q0) Verdict: Accepted 0, Dropped 0, Replaced 0

History

#1

Updated by Peter Manev about 2 months ago

It seems you get a lot of permission errors maybe you could adjust that?
I dont have an issue in dropping privileges like so-

/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D -v --user=logstash

and the user logstash is allowed to write in the log folder.

#2

Updated by Daniel Vein about 2 months ago

I tried your way but still no go, same errors. I then tried to correct permissions (which I'm not sure is the correct way to handle dropping privileges?) I was able to get most of the errors cleared except it won't load rules. FYI it works fine if I don't supply user or group

root@debian:/etc/suricata# /usr/bin/suricata c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -q 0 -v --user=suri --group=suri
28/8/2019 -
18:20:30 - <Notice> - This is Suricata version 4.1.4 RELEASE
28/8/2019 -- 18:20:30 - <Info> - CPUs/cores online: 8
28/8/2019 -- 18:20:30 - <Info> - NFQ running in standard ACCEPT/DROP mode
28/8/2019 -- 18:20:30 - <Info> - dropped the caps for main thread
28/8/2019 -- 18:20:30 - <Info> - fast output device (regular) initialized: fast.log
28/8/2019 -- 18:20:30 - <Info> - eve-log output device (regular) initialized: eve.json
28/8/2019 -- 18:20:30 - <Info> - stats output device (regular) initialized: stats.log
28/8/2019 -- 18:20:30 - <Info> - Running in live mode, activating unix socket
28/8/2019 -- 18:20:30 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/suricata.rules
28/8/2019 -- 18:20:30 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
28/8/2019 -- 18:20:30 - <Info> - Threshold config parsed: 0 rule(s) found
28/8/2019 -- 18:20:30 - <Info> - 0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only
28/8/2019 -- 18:20:30 - <Info> - binding this thread 0 to queue '0'
28/8/2019 -- 18:20:30 - <Info> - setting queue length to 4096
28/8/2019 -- 18:20:30 - <Info> - setting nfnl bufsize to 6144000
28/8/2019 -- 18:20:30 - <Info> - Running in live mode, activating unix socket
28/8/2019 -- 18:20:30 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket'
28/8/2019 -- 18:20:30 - <Notice> - all 10 packet processing threads, 4 management threads initialized, engine started.
^C28/8/2019 -- 18:20:42 - <Notice> - Signal Received. Stopping engine.
28/8/2019 -- 18:20:43 - <Info> - time elapsed 12.349s
28/8/2019 -- 18:20:43 - <Notice> - (RX-Q0) Treated: Pkts 0, Bytes 0, Errors 0
28/8/2019 -- 18:20:43 - <Notice> - (RX-Q0) Verdict: Accepted 0, Dropped 0, Replaced 0
28/8/2019 -- 18:20:43 - <Info> - Alerts: 0
28/8/2019 -- 18:20:43 - <Info> - cleaning up signature grouping structure... complete

#3

Updated by Andreas Herz about 2 months ago

  • Tracker changed from Bug to Support
  • Assignee set to Community Ticket
  • Target version set to TBD

What does ls -lisah /var/lib/suricata/rules/suricata.rules say?

#4

Updated by Alexander Gozman about 1 month ago

CAP_DAC_OVERRIDE (or smth like this) is missing. Unfortunately, the way suricata deals with capabilities is not convenient to fix the issue (or maybe I just do not know a proper way :) The most simple thing to do is to add CAP_DAC_OVERRIDE to SCDropMainThreadCaps(), is it ok (it does the trick)?

#6

Updated by Jeff Lucovsky 25 days ago

Overriding all DAC check seems like overkill.

What are the permission/ownership of

/var/lib/suricata/rules/suricata.rules
?

#7

Updated by Daniel Vein 24 days ago

Sorry to get back so late but my hardrive failed... could be part the issue. I decided to use debians suricata package instead of building but that is giving me problems with dropping privileges I'll open a community ticket

Also available in: Atom PDF