[Oisf-users] suricata -T with run-as
Jason Ish
ish at unx.ca
Thu Mar 29 18:15:13 UTC 2018
On Thu, 2018-03-29 at 16:36 +1300, Russell Fulton wrote:
> Hi
>
> I am getting set up with suricata-update and I have come across a
> minor issue: once update has processed the rules it runs suricata
> with the -T option to really sure that the resulting rule file is
> kosher before reloading it. This is as it should be :). I use run-
> as option to drop to an unprivileged account in suricata.yaml and I
> have always run pulledpork from an non root account. Now if I run
> update from a non root account suricata -T dies when it tried to
> change uid. (it dies with a pretty obscure exception).
>
> Sigh…
>
> It isn’t clear to me what the best work around is here: in the short
> term I am using sudo to run update but I view this as less than
> ideal. Long term I can see good arguments for *not* changing the
> behaviour of -T in relation to run-as.
Something I just realized is my systemd configuration for Suricata uses
--user to set the user on the command line, instead of the
configuration. So this lets Suricata run as non-root, and allows me to
run suricata-update as non-root (but in the suricata group).
So thats another work-around for now.
Jason
More information about the Oisf-users
mailing list