Project

General

Profile

Actions

Bug #3474

closed

Dropping privileges does not work with NFLOG (4.1.x)

Added by Victor Julien almost 3 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,

I'm using Suricata 4.1.2 on Debian 10. I use the NFLOG capture method. This works fine unless I instruct Suricata to run as a non-root user. As soon as I add this to my suricata.yaml, the service won't start anymore:

run-as:
  user: suricata
  group: suricata

Of course, both the user and group exist and the log directory and files are writable for the user. Nevertheless, Suricata fails to start and writes the following error message to suricata.log:

19/10/2019 -- 01:40:38 - <Notice> - This is Suricata version 4.1.2 RELEASE
19/10/2019 -- 01:42:24 - <Error> - [ERRCODE: SC_ERR_NFLOG_BIND(248)] - nflog_bind_pf() for AF_INET failed

That's it. Suricata goes into a loop here. When it starts up, it consumes 100% CPU time of one core for a while until it fails with the above error and restarts again (the restart might be triggered by the systemd service configuration).

When I comment the run-as configuration out, everything works as expected.

Is there anything I can to to make Suricata drop it's privileges when using the NFLOG capture method? Am I missing something here?

Cheers,

Timo


Files

suricata-no-comments.yaml (9.9 KB) suricata-no-comments.yaml Timo Sigurdsson, 10/30/2019 08:21 PM
suricata-fix-nflog-privs.patch (700 Bytes) suricata-fix-nflog-privs.patch Timo Sigurdsson, 02/02/2020 06:12 PM

Related issues 1 (0 open1 closed)

Copied from Bug #3473: Dropping privileges does not work with NFLOG (5.0.x)ClosedVictor JulienActions
Actions #1

Updated by Victor Julien almost 3 years ago

  • Copied from Bug #3473: Dropping privileges does not work with NFLOG (5.0.x) added
Actions #2

Updated by Victor Julien almost 3 years ago

  • Status changed from Assigned to Closed
  • Label deleted (Needs backport)
Actions

Also available in: Atom PDF