[Oisf-users] suricata -T with run-as

[Jason Ish]

On 2018-03-28 09:36 PM, Russell Fulton wrote:
> Hi
> 
> I am getting set up with suricata-update and I have come across a minor issue:    once update has processed the rules it runs suricata with the -T option to really sure that the resulting rule file is kosher before reloading it.   This is as it should be :).  I use run-as option to drop to an unprivileged account in suricata.yaml and I have always run pulledpork from an non root account.   Now if I run update from a non root account suricata -T dies when it tried to change uid.  (it dies with a pretty obscure exception).

Its been too long since I used pulledpork, did it run the Suricata test 
process as well? How did it deal with permissions?

> 
> Sigh…
> 
> It isn’t clear to me what the best work around is here:  in the short term I am using sudo to run update but I view this as less than ideal.  Long term I can see good arguments for *not* changing the behaviour of -T in relation to run-as.

The actual best practice here is still to be determined I think. It 
would be nice if it just worked without any root.

I see 2 work-around that could be easy..  Specify a --test-command 
yourself. I don't like this one as we try to do the right thing by default.

Another option is I could consider adding a --test-with-sudo option that 
only does the test with sudo.

Ultimately I think the best solution will require some cooperative 
changes between suricata, suricata-update and the install permissions. 
Note, human cooperation is not the issue, its defining best practive and 
implementing it.

> Lastly but probably most importantly kudos to Jason for an excellent job.  I was able to convert from PP (which I hate ;) in a few hours and I have extensive configuration fiddling.

Thanks!
Jason