Project

General

Profile

Actions

Bug #5836

closed

output: abort triggered on no permission test

Added by Victor Julien over 1 year ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

SV test bug-5198.

Fails when configured with --enable-debug-validation

src/suricata --set outputs.1.eve-log.filename=noperms/eve.json --set outputs.1.eve-log.threaded=true --set classification-file=/home/victor/sync/devel/eidps/etc/classification.config --set reference-config-file=/home/victor/sync/devel/eidps/etc/reference.config --init-errors-fatal -l /tmp/sv-eidps/bug-5198/output -c /home/victor/sync/devel/eidps/suricata.yaml -r /home/victor/sync/qa/sv/all/00default/bug-5198/input.pcap --disable-detection --runmode=single
Notice: suricata: This is Suricata version 7.0.0-rc2-dev (d9e6301af2 2023-01-31) running in USER mode [LogVersion:suricata.c:1148]
Error: logopenfile: Error opening file: "/tmp/sv-eidps/bug-5198/output/noperms/eve.1.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:438]
Error: logopenfile: Error opening file: "/tmp/sv-eidps/bug-5198/output/noperms/eve.1.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:438]
Error: logopenfile: Error opening file: "/tmp/sv-eidps/bug-5198/output/noperms/eve.1.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:438]
Error: logopenfile: Error opening file: "/tmp/sv-eidps/bug-5198/output/noperms/eve.1.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:438]
Error: logopenfile: Error opening file: "/tmp/sv-eidps/bug-5198/output/noperms/eve.1.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:438]
Error: logopenfile: Error opening file: "/tmp/sv-eidps/bug-5198/output/noperms/eve.1.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:438]
Error: logopenfile: Error opening file: "/tmp/sv-eidps/bug-5198/output/noperms/eve.1.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:438]
Error: logopenfile: Error opening file: "/tmp/sv-eidps/bug-5198/output/noperms/eve.1.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:438]
Error: logopenfile: Error opening file: "/tmp/sv-eidps/bug-5198/output/noperms/eve.1.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:438]
Error: logopenfile: Error opening file: "/tmp/sv-eidps/bug-5198/output/noperms/eve.1.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:438]
Error: logopenfile: Error opening file: "/tmp/sv-eidps/bug-5198/output/noperms/eve.1.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:438]
Error: logopenfile: Error opening file: "/tmp/sv-eidps/bug-5198/output/noperms/eve.1.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:438]
Error: logopenfile: Error opening file: "/tmp/sv-eidps/bug-5198/output/noperms/eve.1.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:438]
Error: logopenfile: Error opening file: "/tmp/sv-eidps/bug-5198/output/noperms/eve.1.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:438]
Error: logopenfile: Error opening file: "/tmp/sv-eidps/bug-5198/output/noperms/eve.1.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:438]
Error: logopenfile: Error opening file: "/tmp/sv-eidps/bug-5198/output/noperms/eve.1.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:438]
Error: logopenfile: Error opening file: "/tmp/sv-eidps/bug-5198/output/noperms/eve.1.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:438]
Error: logopenfile: Error opening file: "/tmp/sv-eidps/bug-5198/output/noperms/eve.1.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:438]
Error: logopenfile: Error opening file: "/tmp/sv-eidps/bug-5198/output/noperms/eve.1.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:438]
Error: logopenfile: Error opening file: "/tmp/sv-eidps/bug-5198/output/noperms/eve.1.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:438]
Error: logopenfile: Error opening file: "/tmp/sv-eidps/bug-5198/output/noperms/eve.1.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:438]
Error: logopenfile: Error opening file: "/tmp/sv-eidps/bug-5198/output/noperms/eve.1.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:438]
Error: logopenfile: Error opening file: "/tmp/sv-eidps/bug-5198/output/noperms/eve.1.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:438]
Error: logopenfile: Error opening file: "/tmp/sv-eidps/bug-5198/output/noperms/eve.1.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:438]
Error: logopenfile: Error opening file: "/tmp/sv-eidps/bug-5198/output/noperms/eve.1.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:438]
Error: logopenfile: Error opening file: "/tmp/sv-eidps/bug-5198/output/noperms/eve.1.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:438]
Error: logopenfile: Error opening file: "/tmp/sv-eidps/bug-5198/output/noperms/eve.1.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:438]
Error: logopenfile: Error opening file: "/tmp/sv-eidps/bug-5198/output/noperms/eve.1.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:438]
Error: logopenfile: Error opening file: "/tmp/sv-eidps/bug-5198/output/noperms/eve.1.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:438]
Error: logopenfile: Error opening file: "/tmp/sv-eidps/bug-5198/output/noperms/eve.1.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:438]
Error: logopenfile: Error opening file: "/tmp/sv-eidps/bug-5198/output/noperms/eve.1.json": Permission denied [SCLogOpenFileFp:util-logopenfile.c:438]
suricata: output-packet.c:118: OutputPacketLog: Assertion `!((logger != ((void *)0) && store == ((void *)0)))' failed.
Aborted (core dumped)
This is Suricata version 7.0.0-rc2-dev (d9e6301af2 2023-01-31)
Features: DEBUG DEBUG_VALIDATION NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LUA HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST 
SIMD support: none
Atomic intrinsics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 11.3.0, C version 201112
compiled with -fstack-protector-all
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: _Thread_local
compiled with LibHTP v0.5.42, linked against LibHTP v0.5.42

Suricata Configuration:
  AF_PACKET support:                       yes
  AF_XDP support:                          no
  DPDK support:                            no
  eBPF support:                            no
  XDP support:                             no
  PF_RING support:                         no
  NFQueue support:                         yes
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no 
  DAG enabled:                             no
  Napatech enabled:                        no
  WinDivert enabled:                       no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  Libmagic support:                        yes
  libjansson support:                      yes
  hiredis support:                         no
  hiredis async with libevent:             no
  PCRE jit:                                yes
  LUA support:                             yes
  libluajit:                               no
  GeoIP2 support:                          yes
  Non-bundled htp:                         yes
  Hyperscan support:                       yes
  Libnet support:                          yes
  liblz4 support:                          no
  Landlock support:                        yes

  Rust support:                            yes
  Rust strict mode:                        no
  Rust compiler path:                      /usr/bin/rustc
  Rust compiler version:                   rustc 1.61.0
  Cargo path:                              /usr/bin/cargo
  Cargo version:                           cargo 1.61.0

  Python support:                          yes
  Python path:                             /usr/bin/python3
  Install suricatactl:                     yes
  Install suricatasc:                      yes
  Install suricata-update:                 no, not bundled

  Profiling enabled:                       no
  Profiling locks enabled:                 no

  Plugin support (experimental):           yes

Development settings:
  Coccinelle / spatch:                     no
  Unit tests enabled:                      no
  Debug output enabled:                    yes
  Debug validation enabled:                yes
  Fuzz targets enabled:                    no

Generic build parameters:
  Installation prefix:                     /usr
  Configuration directory:                 /etc/suricata/
  Log directory:                           /var/log/suricata/

  --prefix                                 /usr
  --sysconfdir                             /etc
  --localstatedir                          /var
  --datarootdir                            /usr/share

  Host:                                    x86_64-pc-linux-gnu
  Compiler:                                gcc (exec name) / g++ (real)
  GCC Protect enabled:                     no
  GCC march native enabled:                no
  GCC Profile enabled:                     no
  Position Independent Executable enabled: no
  CFLAGS                                   -fno-common -O0 -ggdb3 -Werror -Wchar-subscripts -fno-strict-aliasing -fstack-protector-all -fno-omit-frame-pointer -Wshadow -fPIC -std=c11 -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist
  PCAP_CFLAGS                               -I/usr/include
  SECCFLAGS                                

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #5198: eve/stats: ASAN error when eve output file can't be opened.ClosedJeff LucovskyActions
Actions #1

Updated by Jason Ish over 1 year ago

  • Assignee changed from OISF Dev to Jason Ish

The issue occurs during initializing when the output module fails to open a specific output file, and an error is returned instead of completing initialization of that output module. However, the runmode setup keeps on going, when it should probably fatal error here.

Note that if the log directory is not writable we do fatal error. So it might make sense during startup to fatal error if any one log file cannot be opened either.

Fix 1) Fatal error during initializing if we can't open a log file. This is my preference.

Fix 2) If we can't open a file, log an error like we do now, but continue to setup the log modules as if it was successful. As the file pointer is null, attempts to log at runtime will fail silently. While Suricata won't automatically re-attempt to open the log files, it can be told to with a SIGHUP. The files will be opened and logging will commence. This isn't that much different than if Suricata started OK, then files were then made immutable or something, and a SIGHUP was sent to Suricata. Suricata would no longer log, but keep running fine. Fix files, SIGHUP, and we're logging again.

Actions #2

Updated by Jeff Lucovsky over 1 year ago

  • Related to Bug #5198: eve/stats: ASAN error when eve output file can't be opened. added
Actions #3

Updated by Jeff Lucovsky over 1 year ago

  • Description updated (diff)
Actions #4

Updated by Jeff Lucovsky over 1 year ago

  • Status changed from New to In Progress
  • Assignee changed from Jason Ish to Jeff Lucovsky
Actions #6

Updated by Victor Julien over 1 year ago

  • Status changed from In Review to Assigned

I don't see how an SV update that adjusts the expected exit code can fix an abort().

Actions #7

Updated by Victor Julien over 1 year ago

Jason Ish wrote in #note-1:

The issue occurs during initializing when the output module fails to open a specific output file, and an error is returned instead of completing initialization of that output module. However, the runmode setup keeps on going, when it should probably fatal error here.

Note that if the log directory is not writable we do fatal error. So it might make sense during startup to fatal error if any one log file cannot be opened either.

Fix 1) Fatal error during initializing if we can't open a log file. This is my preference.

I agree. We shouldn't start in an error state.

Side note: the implementation with 2 related but separate lists is not ideal either. Perhaps this would be a good opportunity to merge them into only one that is used at runtime. The per thread list members will only have to extended slightly to also contain the data/ptrs from the other list. Then we could limit this code to walk only one list.

Actions #8

Updated by Jeff Lucovsky over 1 year ago

  • Status changed from Assigned to In Review
Actions #9

Updated by Jeff Lucovsky over 1 year ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF