Documentation #7138
open"Permission denied" when trying to add and update new ruleset
Description
Hi ! how are you. Thanks for this great tool.
I'm on a Ubuntu based system and installed suricata 7.0.6
I follwed security advice and I'm runing suricata as suricata user.
Then I followed instructions to add a new ruleset:
sudo suricata-update enable-source oisf/trafficid
But when trying to update and merge the ruleset, I got this error:
sudo suricata-update [...] 4/7/2024 -- 11:30:06 - <Info> -- Enabled 136 rules for flowbit dependencies. 4/7/2024 -- 11:30:06 - <Info> -- Backing up current rules. 4/7/2024 -- 11:30:08 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 50940; enabled: 38724; added: 34; removed 0; modified: 0 4/7/2024 -- 11:30:08 - <Info> -- Writing /var/lib/suricata/rules/classification.config 4/7/2024 -- 11:30:08 - <Info> -- Testing with suricata -T. 4/7/2024 -- 11:30:08 - <Error> -- Error opening file: "/tmp/tmpror979xf/fast.log": Permission denied 4/7/2024 -- 11:30:08 - <Error> -- output module "fast": setup failed 4/7/2024 -- 11:30:08 - <Error> -- Suricata test failed, aborting. 4/7/2024 -- 11:30:08 - <Error> -- Restoring previous rules.
I guess is easy to solve changing some permissions at /tmp or adding suricata to some group, but not sure exactly what the best way and would be nice to do it together and improve documentation.
Updated by Victor Julien 5 months ago
- Project changed from Suricata to Suricata-Update
- Status changed from In Progress to New
- Priority changed from High to Normal
- Target version changed from TBD to TBD
Updated by Jason Ish 5 months ago
One work-around for now is to not use run-as
in your Suricata configuration, but we should probably also consider some other options like not requiring root access to test load of rules, however it might need to to read them.
https://forum.suricata.io/t/suricata-update-aborts-with-permission-error/3756/2
However, some umask fiddling might help as well.