[Oisf-users] suricata pid 'feature'

Peter Manev petermanev at gmail.com
Thu Aug 8 07:50:35 UTC 2013


On Thu, Aug 8, 2013 at 3:04 AM, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
> Hi
>
> I am running suricata with the —user and —group switches.  I do all my management on my sensors from this user and I have an sudo entry for the user for /usr/bin/suricata with nopasswd that allows the user to start suri.
>
> The problem is that suricata creates its pid file before switching uids so the pid file is owned by root.root with permissions of -rw-r----- and so my scripts can not read the pid file.
>
> I can work around this by searching the process table but it would nice not to have to.  I take it the process keeps the file open as it always manages to delete it when shutting down.  I *can* kill the suri process from the sensor uid.
>
> Is this something that could (or should?) be fixed.
>


I assume you have followed this guide:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Dropping_Privileges_After_Startup
?

thanks


-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list