Project

General

Profile

Actions
Copy link

Documentation #7138

open
L9 OD

"Permission denied" when trying to add and update new ruleset

Documentation #7138: "Permission denied" when trying to add and update new ruleset

Added by Lu 99 almost 2 years ago. Updated almost 2 years ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
Effort:
low
Difficulty:
low
Label:
Beginner

Description

Hi ! how are you. Thanks for this great tool.

I'm on a Ubuntu based system and installed suricata 7.0.6

I follwed security advice and I'm runing suricata as suricata user.

Then I followed instructions to add a new ruleset:

sudo suricata-update enable-source oisf/trafficid

But when trying to update and merge the ruleset, I got this error:

sudo suricata-update
[...]
4/7/2024 -- 11:30:06 - <Info> -- Enabled 136 rules for flowbit dependencies.
4/7/2024 -- 11:30:06 - <Info> -- Backing up current rules.
4/7/2024 -- 11:30:08 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 50940; enabled: 38724; added: 34; removed 0; modified: 0
4/7/2024 -- 11:30:08 - <Info> -- Writing /var/lib/suricata/rules/classification.config
4/7/2024 -- 11:30:08 - <Info> -- Testing with suricata -T.
4/7/2024 -- 11:30:08 - <Error> -- Error opening file: "/tmp/tmpror979xf/fast.log": Permission denied
4/7/2024 -- 11:30:08 - <Error> -- output module "fast": setup failed
4/7/2024 -- 11:30:08 - <Error> -- Suricata test failed, aborting.
4/7/2024 -- 11:30:08 - <Error> -- Restoring previous rules.

I guess is easy to solve changing some permissions at /tmp or adding suricata to some group, but not sure exactly what the best way and would be nice to do it together and improve documentation.

Related issues 1 (1 open0 closed)

Related to Suricata-Update - Bug #6241: Suricata test-mode can fail when user and group provided with run-as.NewJason IshActions

L9 Updated by Lu 99 almost 2 years ago Actions
Copy link
 #1

  • Description updated (diff)

L9 Updated by Lu 99 almost 2 years ago Actions
Copy link
 #2

  • Priority changed from Normal to High

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
 #3

  • Project changed from Suricata to Suricata-Update
  • Status changed from In Progress to New
  • Priority changed from High to Normal
  • Target version changed from TBD to TBD

JI Updated by Jason Ish almost 2 years ago Actions
Copy link
 #4

  • Related to Bug #6241: Suricata test-mode can fail when user and group provided with run-as. added

JI Updated by Jason Ish almost 2 years ago Actions
Copy link
 #5

One work-around for now is to not use run-as in your Suricata configuration, but we should probably also consider some other options like not requiring root access to test load of rules, however it might need to to read them.

https://forum.suricata.io/t/suricata-update-aborts-with-permission-error/3756/2

However, some umask fiddling might help as well.

L9 Updated by Lu 99 almost 2 years ago ยท Edited Actions
Copy link
 #6

Ok, but would you improve the documentation?

I'm not sure if revert those security instructions and let suricata run as root or what to do.

thanks in advance.

Actions
Copy link

Also available in: PDF Atom