Dropping privileges does not work with NFLOG
I'm using Suricata 4.1.2 on Debian 10. I use the NFLOG capture method. This works fine unless I instruct Suricata to run as a non-root user. As soon as I add this to my suricata.yaml, the service won't start anymore:
run-as: user: suricata group: suricata
Of course, both the user and group exist and the log directory and files are writable for the user. Nevertheless, Suricata fails to start and writes the following error message to suricata.log:
19/10/2019 -- 01:40:38 - <Notice> - This is Suricata version 4.1.2 RELEASE 19/10/2019 -- 01:42:24 - <Error> - [ERRCODE: SC_ERR_NFLOG_BIND(248)] - nflog_bind_pf() for AF_INET failed
That's it. Suricata goes into a loop here. When it starts up, it consumes 100% CPU time of one core for a while until it fails with the above error and restarts again (the restart might be triggered by the systemd service configuration).
When I comment the run-as configuration out, everything works as expected.
Is there anything I can to to make Suricata drop it's privileges when using the NFLOG capture method? Am I missing something here?
Updated by Timo Sigurdsson over 4 years ago
Andreas Herz wrote:
I'm trying to reproduce it, what does your configuration look like?
Sorry for the delay. I'm using a configuration based on the Debian default configuration, with some stuff commented out and less options modified to my liking. I attached a configuration file with the comments stripped out like this:
grep -v -e '^$' -e '^[ ]*#' /etc/suricata/suricata.yaml > suricata-no-comments.yaml
Updated by Timo Sigurdsson about 4 years ago
Meanwhile, I found the culprit as well as a simple solution.
It seems src/util-privs.c sets capabilities for various runmodes, but not nflog. I wrote a simple patch against Debian's suricata 4.1.2 and with that applied, suricata successfully drops its privileges and runs under the user and group defined in the run-as configuration section. The patch applies the same capabilities that would be used in the nfq runmode to the nflog runmode (i.e. CAP_NET_ADMIN and CAP_SYS_NICE). I'm not entirely sure CAP_SYS_NICE is required in the nflog runmode, but I assume the threading requirements are the same as in nfq. But CAP_NET_ADMIN is definitely required to bind to and nflog group.
I'd appreciate if you could review the patch and integrate it into the suricata source code (while I wrote the patch for 4.1.2, it applies to the current git master as well). I would then ask the Debian package maintainer if he can backport the fix, given how trivial it is. Thanks!
Updated by Andreas Herz about 4 years ago
Can you send us a PR with that patch included via github? see https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing for more details.
That would be helpful.