Bug #873
closedsuricata.yaml: .mgc is NOT actually added to value for magic file
Description
The suricata.yaml file states that the value you specify for 'magic-file' will then have the .mgc suffix appended.
# Magic file. The extension .mgc is added to the value here. magic-file: /usr/local/share/misc/magic
There's no code to support this advice:
host:/var/tmp/suricata-1.4.3 root# grep mgc * */* */*/* configure: e_magic_file="/usr/local/share/misc/magic.mgc" configure: e_magic_file="/usr/local/share/misc/magic.mgc" configure: e_magic_file="/usr/local/share/file/magic.mgc" configure: e_magic_file="$e_winbase\\\\magic.mgc" configure.ac: e_magic_file="/usr/local/share/misc/magic.mgc" configure.ac: e_magic_file="/usr/local/share/misc/magic.mgc" configure.ac: e_magic_file="/usr/local/share/file/magic.mgc" configure.ac: e_magic_file="$e_winbase\\\\magic.mgc" suricata.yaml:# Magic file. The extension .mgc is added to the value here. suricata.yaml.in:# Magic file. The extension .mgc is added to the value here.
and the program bombs out:
11/7/2013 -- 12:32:30 - <Info> - using magic-file /usr/local/share/misc/magic 11/7/2013 -- 12:32:30 - <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/usr/local/share/misc/magic": No such file or directory host:/apps/ids/suricata root# ls -aCF /usr/local/share/misc total 5133 drwxr-xr-x 2 root root 3 Jul 10 12:57 ./ drwxr-xr-x 28 root root 28 Jul 10 16:54 ../ -rw-r--r-- 1 root root 2606480 Jul 2 18:32 magic.mgc
The suricata.yaml[.in] file needs to be updated to remove the statement about '.mgc' being automatically appended.
Updated by Andreas Herz over 8 years ago
- Assignee set to Andreas Herz
Can confirm the issue on archlinux
Updated by Andreas Herz over 8 years ago
- Subject changed from 1.4.3: suricata.yaml: .mgc is NOT actually added to value for magic file to suricata.yaml: .mgc is NOT actually added to value for magic file
The problem is that we check with fdopen if the file exists which also works when a directory exists. So in the case of debian fdopen is !=NULL as it has /usr/share/file/magic dir (which is the line in suricata.yaml). But the magic_load function afterwards adds .mgc itself so on debian no one noticed the issue there.
But on archlinux there is /usr/share/file/misc/magic.mgc but no dir /usr/share/file/misc/magic so there you're forced to add .mgc in the suricata.yaml (or mkdir /usr/share/file/misc/magic :p).
So we have 2 solutions:
- fix the code so we will print an error
- change the description in the yaml (easier and we don't have to deal with all the issues with different locations in the systems within configure.ac)
Thoughts?
Updated by Mark Solaris over 8 years ago
Andreas Herz wrote:
So we have 2 solutions:
- fix the code so we will print an error
- change the description in the yaml (easier and we don't have to deal with all the issues with different locations in the systems within configure.ac)
I would fix the code, since every installation will have been configured for the original description. The low effort approach in this case means lower quality of code and will annoy the user base.
Updated by Victor Julien over 8 years ago
Yeah we can probably work around this in the code. E.g. do magic_load first on the path provided, if it fails run it again on the path with .mgc appended.
Updated by Andreas Herz over 8 years ago
magic_load is not the issue since it adds .mgc itself if need, the problem is the part before.
So if .mgc is not added in the config file we check for a directory instead of a file. So we can use stat to check if it's a directory and error out which breaks old configs or just add .mgc to the config value and see if we really got the file.
Updated by Andreas Herz about 8 years ago
- Status changed from New to Closed
Since magic_load(NULL) works on *nix systems (chooses the system default) we can skip defining it and just leave it active for windows.
Fixed in https://github.com/inliniac/suricata/commit/15c98c6085fb4e4d23accc34e660841ef735778a?diff=unified (Thanks to Jason for the config idea) and https://github.com/inliniac/suricata/commit/adbf8bec747680f4b259b4dc37b2156f2f01d6b8 suppresses some of the leaks found by DrMemory that are related to libmagic itself.
Updated by Victor Julien about 8 years ago
- Target version changed from TBD to 3.0.1RC1