Project

General

Profile

Actions

Bug #3265

closed

Dropping privileges does not work with NFLOG

Added by Timo Sigurdsson over 4 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport

Description

Hi,

I'm using Suricata 4.1.2 on Debian 10. I use the NFLOG capture method. This works fine unless I instruct Suricata to run as a non-root user. As soon as I add this to my suricata.yaml, the service won't start anymore:

run-as:
  user: suricata
  group: suricata

Of course, both the user and group exist and the log directory and files are writable for the user. Nevertheless, Suricata fails to start and writes the following error message to suricata.log:

19/10/2019 -- 01:40:38 - <Notice> - This is Suricata version 4.1.2 RELEASE
19/10/2019 -- 01:42:24 - <Error> - [ERRCODE: SC_ERR_NFLOG_BIND(248)] - nflog_bind_pf() for AF_INET failed

That's it. Suricata goes into a loop here. When it starts up, it consumes 100% CPU time of one core for a while until it fails with the above error and restarts again (the restart might be triggered by the systemd service configuration).

When I comment the run-as configuration out, everything works as expected.

Is there anything I can to to make Suricata drop it's privileges when using the NFLOG capture method? Am I missing something here?

Cheers,

Timo


Files

suricata-no-comments.yaml (9.9 KB) suricata-no-comments.yaml Timo Sigurdsson, 10/30/2019 08:21 PM
suricata-fix-nflog-privs.patch (700 Bytes) suricata-fix-nflog-privs.patch Timo Sigurdsson, 02/02/2020 06:12 PM

Related issues 1 (0 open1 closed)

Copied to Suricata - Bug #3473: Dropping privileges does not work with NFLOG (5.0.x)ClosedVictor JulienActions
Actions #1

Updated by Andreas Herz over 4 years ago

  • Assignee set to Community Ticket
  • Target version set to TBD

I'm trying to reproduce it, what does your configuration look like?

Actions #2

Updated by Timo Sigurdsson over 4 years ago

Andreas Herz wrote:

I'm trying to reproduce it, what does your configuration look like?

Sorry for the delay. I'm using a configuration based on the Debian default configuration, with some stuff commented out and less options modified to my liking. I attached a configuration file with the comments stripped out like this:
grep -v -e '^$' -e '^[ ]*#' /etc/suricata/suricata.yaml > suricata-no-comments.yaml

Actions #3

Updated by Andreas Herz over 4 years ago

how do you run/start suricata with what command line options?

Actions #4

Updated by Timo Sigurdsson over 4 years ago

Andreas Herz wrote:

how do you run/start suricata with what command line options?

I edited the systemd unit file so ExecStart is now:
/usr/bin/suricata -D --nflog -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid

Actions #5

Updated by Timo Sigurdsson over 4 years ago

Meanwhile, I found the culprit as well as a simple solution.

It seems src/util-privs.c sets capabilities for various runmodes, but not nflog. I wrote a simple patch against Debian's suricata 4.1.2 and with that applied, suricata successfully drops its privileges and runs under the user and group defined in the run-as configuration section. The patch applies the same capabilities that would be used in the nfq runmode to the nflog runmode (i.e. CAP_NET_ADMIN and CAP_SYS_NICE). I'm not entirely sure CAP_SYS_NICE is required in the nflog runmode, but I assume the threading requirements are the same as in nfq. But CAP_NET_ADMIN is definitely required to bind to and nflog group.

I'd appreciate if you could review the patch and integrate it into the suricata source code (while I wrote the patch for 4.1.2, it applies to the current git master as well). I would then ask the Debian package maintainer if he can backport the fix, given how trivial it is. Thanks!

Actions #6

Updated by Andreas Herz over 4 years ago

Can you send us a PR with that patch included via github? see https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing for more details.
That would be helpful.

Actions #8

Updated by Victor Julien over 4 years ago

  • Status changed from New to Closed
  • Assignee changed from Community Ticket to Timo Sigurdsson
  • Target version changed from TBD to 6.0.0beta1
  • Label Needs backport added
Actions #9

Updated by Victor Julien over 4 years ago

  • Copied to Bug #3473: Dropping privileges does not work with NFLOG (5.0.x) added
Actions

Also available in: Atom PDF