[Oisf-users] suricata -T with run-as
ish at unx.ca
Thu Mar 29 13:53:31 UTC 2018
On 2018-03-28 09:36 PM, Russell Fulton wrote:
> I am getting set up with suricata-update and I have come across a minor issue: once update has processed the rules it runs suricata with the -T option to really sure that the resulting rule file is kosher before reloading it. This is as it should be :). I use run-as option to drop to an unprivileged account in suricata.yaml and I have always run pulledpork from an non root account. Now if I run update from a non root account suricata -T dies when it tried to change uid. (it dies with a pretty obscure exception).
Its been too long since I used pulledpork, did it run the Suricata test
process as well? How did it deal with permissions?
> It isn’t clear to me what the best work around is here: in the short term I am using sudo to run update but I view this as less than ideal. Long term I can see good arguments for *not* changing the behaviour of -T in relation to run-as.
The actual best practice here is still to be determined I think. It
would be nice if it just worked without any root.
I see 2 work-around that could be easy.. Specify a --test-command
yourself. I don't like this one as we try to do the right thing by default.
Another option is I could consider adding a --test-with-sudo option that
only does the test with sudo.
Ultimately I think the best solution will require some cooperative
changes between suricata, suricata-update and the install permissions.
Note, human cooperation is not the issue, its defining best practive and
> Lastly but probably most importantly kudos to Jason for an excellent job. I was able to convert from PP (which I hate ;) in a few hours and I have extensive configuration fiddling.
More information about the Oisf-users