Project

General

Profile

Actions

Documentation #7138

open

"Permission denied" when trying to add and update new ruleset

Added by Lu 99 5 months ago. Updated 5 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
low
Difficulty:
low
Label:
Beginner

Description

Hi ! how are you. Thanks for this great tool.

I'm on a Ubuntu based system and installed suricata 7.0.6

I follwed security advice and I'm runing suricata as suricata user.

Then I followed instructions to add a new ruleset:

sudo suricata-update enable-source oisf/trafficid

But when trying to update and merge the ruleset, I got this error:

sudo suricata-update
[...]
4/7/2024 -- 11:30:06 - <Info> -- Enabled 136 rules for flowbit dependencies.
4/7/2024 -- 11:30:06 - <Info> -- Backing up current rules.
4/7/2024 -- 11:30:08 - <Info> -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 50940; enabled: 38724; added: 34; removed 0; modified: 0
4/7/2024 -- 11:30:08 - <Info> -- Writing /var/lib/suricata/rules/classification.config
4/7/2024 -- 11:30:08 - <Info> -- Testing with suricata -T.
4/7/2024 -- 11:30:08 - <Error> -- Error opening file: "/tmp/tmpror979xf/fast.log": Permission denied
4/7/2024 -- 11:30:08 - <Error> -- output module "fast": setup failed
4/7/2024 -- 11:30:08 - <Error> -- Suricata test failed, aborting.
4/7/2024 -- 11:30:08 - <Error> -- Restoring previous rules.

I guess is easy to solve changing some permissions at /tmp or adding suricata to some group, but not sure exactly what the best way and would be nice to do it together and improve documentation.


Related issues 1 (1 open0 closed)

Related to Suricata-Update - Bug #6241: Suricata test-mode can fail when user and group provided with run-as.NewJason IshActions
Actions #1

Updated by Lu 99 5 months ago

  • Description updated (diff)
Actions #2

Updated by Lu 99 5 months ago

  • Priority changed from Normal to High
Actions #3

Updated by Victor Julien 5 months ago

  • Project changed from Suricata to Suricata-Update
  • Status changed from In Progress to New
  • Priority changed from High to Normal
  • Target version changed from TBD to TBD
Actions #4

Updated by Jason Ish 5 months ago

  • Related to Bug #6241: Suricata test-mode can fail when user and group provided with run-as. added
Actions #5

Updated by Jason Ish 5 months ago

One work-around for now is to not use run-as in your Suricata configuration, but we should probably also consider some other options like not requiring root access to test load of rules, however it might need to to read them.

https://forum.suricata.io/t/suricata-update-aborts-with-permission-error/3756/2

However, some umask fiddling might help as well.

Actions #6

Updated by Lu 99 5 months ago ยท Edited

Ok, but would you improve the documentation?

I'm not sure if revert those security instructions and let suricata run as root or what to do.

thanks in advance.

Actions

Also available in: Atom PDF