[Oisf-users] suricata -T with run-as

Jason Ish ish at unx.ca
Thu Mar 29 18:15:13 UTC 2018

On Thu, 2018-03-29 at 16:36 +1300, Russell Fulton wrote:
> Hi
> I am getting set up with suricata-update and I have come across a
> minor issue:    once update has processed the rules it runs suricata
> with the -T option to really sure that the resulting rule file is
> kosher before reloading it.   This is as it should be :).  I use run-
> as option to drop to an unprivileged account in suricata.yaml and I
> have always run pulledpork from an non root account.   Now if I run
> update from a non root account suricata -T dies when it tried to
> change uid.  (it dies with a pretty obscure exception).
> Sigh…
> It isn’t clear to me what the best work around is here:  in the short
> term I am using sudo to run update but I view this as less than
> ideal.  Long term I can see good arguments for *not* changing the
> behaviour of -T in relation to run-as.  

Something I just realized is my systemd configuration for Suricata uses
--user to set the user on the command line, instead of the
configuration. So this lets Suricata run as non-root, and allows me to
run suricata-update as non-root (but in the suricata group).

So thats another work-around for now.


More information about the Oisf-users mailing list