[Oisf-users] suricata pid 'feature'

Russell Fulton r.fulton at auckland.ac.nz
Thu Aug 8 01:04:01 UTC 2013


I am running suricata with the —user and —group switches.  I do all my management on my sensors from this user and I have an sudo entry for the user for /usr/bin/suricata with nopasswd that allows the user to start suri.

The problem is that suricata creates its pid file before switching uids so the pid file is owned by root.root with permissions of -rw-r----- and so my scripts can not read the pid file.

I can work around this by searching the process table but it would nice not to have to.  I take it the process keeps the file open as it always manages to delete it when shutting down.  I *can* kill the suri process from the sensor uid.

Is this something that could (or should?) be fixed.


More information about the Oisf-users mailing list