[Oisf-users] suricata -T with run-as
Russell Fulton
r.fulton at auckland.ac.nz
Thu Mar 29 03:36:31 UTC 2018
Hi
I am getting set up with suricata-update and I have come across a minor issue: once update has processed the rules it runs suricata with the -T option to really sure that the resulting rule file is kosher before reloading it. This is as it should be :). I use run-as option to drop to an unprivileged account in suricata.yaml and I have always run pulledpork from an non root account. Now if I run update from a non root account suricata -T dies when it tried to change uid. (it dies with a pretty obscure exception).
Sigh…
It isn’t clear to me what the best work around is here: in the short term I am using sudo to run update but I view this as less than ideal. Long term I can see good arguments for *not* changing the behaviour of -T in relation to run-as.
Lastly but probably most importantly kudos to Jason for an excellent job. I was able to convert from PP (which I hate ;) in a few hours and I have extensive configuration fiddling.
Russell
More information about the Oisf-users
mailing list