Project

General

Profile

Bug #3219

permission of data dir should be checked before operations

Added by Victor Julien 11 days ago. Updated 5 days ago.

Status:
Assigned
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

When running with insufficient permissions, the default updating is kind of ok:

$ ./bin/suricata-update --suricata-conf ../suricata/suricata.yaml --suricata ../suricata/src/suricata
5/10/2019 -- 08:08:06 - <Info> -- Using data-directory /var/lib/suricata.
5/10/2019 -- 08:08:06 - <Info> -- Using /etc/suricata/rules for Suricata provided rules.
5/10/2019 -- 08:08:06 - <Info> -- Found Suricata version 5.0.0-dev at ../suricata/src/suricata.
5/10/2019 -- 08:08:06 - <Info> -- Loading ../suricata/suricata.yaml
5/10/2019 -- 08:08:06 - <Info> -- Disabling rules with proto modbus
5/10/2019 -- 08:08:06 - <Info> -- Disabling rules with proto enip
5/10/2019 -- 08:08:06 - <Info> -- Disabling rules with proto dnp3
5/10/2019 -- 08:08:06 - <Warning> -- Source index is older than 2 weeks. Please update with suricata-update update-sources.
5/10/2019 -- 08:08:06 - <Info> -- Fetching https://rules.emergingthreats.net/open/suricata-5.0.0/emerging.rules.tar.gz.
 100% - 2461714/2461714
5/10/2019 -- 08:08:12 - <Error> -- Failed to copy file: [Errno 13] Permission denied: u'/var/lib/suricata/update/cache/1168f1cf2d4676c8d507bbb6ea3b2078-emerging.rules.tar.gz'

Although I would have expected an error sooner, like right after
5/10/2019 -- 08:08:06 - <Info> -- Using data-directory /var/lib/suricata.

But when doing the update-sources command things get more ugly:

$ ./bin/suricata-update --suricata-conf ../suricata/suricata.yaml --suricata ../suricata/src/suricata update-sources
5/10/2019 -- 08:08:34 - <Info> -- Using data-directory /var/lib/suricata.
5/10/2019 -- 08:08:34 - <Info> -- Using /etc/suricata/rules for Suricata provided rules.
5/10/2019 -- 08:08:34 - <Info> -- Found Suricata version 5.0.0-dev at ../suricata/src/suricata.
5/10/2019 -- 08:08:34 - <Info> -- Downloading https://www.openinfosecfoundation.org/rules/index.yaml
Traceback (most recent call last):
  File "./bin/suricata-update", line 33, in <module>
    sys.exit(main.main())
  File "/home/victor/dev/suricata-update/suricata/update/main.py", line 1512, in main
    sys.exit(_main())
  File "/home/victor/dev/suricata-update/suricata/update/main.py", line 1285, in _main
    return args.func()
  File "/home/victor/dev/suricata-update/suricata/update/commands/updatesources.py", line 50, in update_sources
    with open(local_index_filename, "wb") as outobj:
IOError: [Errno 13] Permission denied: u'/var/lib/suricata/update/cache/index.yaml'

Observed on 1.1.0rc1.

History

#1

Updated by Shivani Bhardwaj 11 days ago

  • Status changed from New to Assigned
  • Target version set to 1.1.0
#2

Updated by Shivani Bhardwaj 9 days ago

Victor Julien wrote:

When running with insufficient permissions, the default updating is kind of ok:
[...]
Although I would have expected an error sooner, like right after

I think that if we have to follow EAFP (https://docs.python.org/3/glossary.html#term-eafp) this is probably at the right place as we're not writing the directory when we're determining its path during configuration. `os` module methods do not cover a lot of cases so checking for write access may not be fool-proof.

Let me know if you have other opinion.

But when doing the update-sources command things get more ugly:
[...]

Observed on 1.1.0rc1.

#3

Updated by Jason Ish 5 days ago

  • Target version changed from 1.1.0 to 1.1.1

Also available in: Atom PDF