[Oisf-users] suricata pid 'feature'

Russell Fulton r.fulton at auckland.ac.nz
Thu Aug 8 21:33:11 UTC 2013

On 8/08/2013, at 7:50 PM, Peter Manev <petermanev at gmail.com> wrote:
> I assume you have followed this guide:
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Dropping_Privileges_After_Startup

That's a useful doc.  I was using pfring anyway so it just worked.  I have been running argus this way for many years.

The nit I have is simply *when* the pid file get written.  Suricata appears to write the pid file before it switches uid thus the pid file is owned by root and not readable by anything else.  If the writing of the pid file were delayed until after the uid switch then it would be owned by the target user.

<hold on a sec while I check something>

Work around: 'chmod g+s' to the rescue.

sensors at secmontst01:~$ ls -ld test1/run
drwxr-sr-x 2 sensors sensors 4096 Aug  9 09:20 test1/run

sensors at secmontst01:~$ ls -ld test1/run/suricata.pid 
-rw-r----- 1 root sensors 6 Aug  9 09:20 test1/run/suricata.pid

I can now read the pid file.

You may want to add this to the wiki article.

Cheers, Russell

More information about the Oisf-users mailing list