[Oisf-users] suricata -T with run-as

Russell Fulton r.fulton at auckland.ac.nz
Thu Mar 29 03:36:31 UTC 2018


Hi

I am getting set up with suricata-update and I have come across a minor issue:    once update has processed the rules it runs suricata with the -T option to really sure that the resulting rule file is kosher before reloading it.   This is as it should be :).  I use run-as option to drop to an unprivileged account in suricata.yaml and I have always run pulledpork from an non root account.   Now if I run update from a non root account suricata -T dies when it tried to change uid.  (it dies with a pretty obscure exception).

Sigh…

It isn’t clear to me what the best work around is here:  in the short term I am using sudo to run update but I view this as less than ideal.  Long term I can see good arguments for *not* changing the behaviour of -T in relation to run-as.  


Lastly but probably most importantly kudos to Jason for an excellent job.  I was able to convert from PP (which I hate ;) in a few hours and I have extensive configuration fiddling.   

Russell




More information about the Oisf-users mailing list