From 2c174cb604c2c99f9d9e8ac4fab438d0aedf7ab1 Mon Sep 17 00:00:00 2001 From: Slawomir Lis Date: Wed, 28 Dec 2016 13:59:11 +0100 Subject: net-analyzer/suricata: Dropping user privs in init script Bug #602590 Package-Manager: Portage-2.3.3, Repoman-2.3.1 --- net-analyzer/suricata/files/suricata-3.2-conf | 12 ++++++++- net-analyzer/suricata/files/suricata-3.2-init | 39 ++++++++++++++++++++------- net-analyzer/suricata/suricata-3.2-r1.ebuild | 5 ++-- 3 files changed, 43 insertions(+), 13 deletions(-) (limited to 'net-analyzer/suricata') diff --git a/net-analyzer/suricata/files/suricata-3.2-conf b/net-analyzer/suricata/files/suricata-3.2-conf index fc6885d25309..d8466b43fb34 100644 --- a/net-analyzer/suricata/files/suricata-3.2-conf +++ b/net-analyzer/suricata/files/suricata-3.2-conf @@ -29,7 +29,7 @@ # SURICATA_CONF="suricata.yaml" # You can define the options here: -# NB: avoid using -l, -c and setting logging.outputs.1.file.filename as the init script will try to set them for you. +# NB: avoid using -l, -c, --user, --group and setting logging.outputs.1.file.filename as the init script will try to set them for you. # SURICATA_OPTS_q0="-q 0" # SURICATA_OPTS_q1="-q 1" @@ -44,3 +44,13 @@ SURICATA_OPTS="-i eth0" # SURICATA_LOG_FILE_q0="/var/log/suricata/q0/suricata.log" # SURICATA_LOG_FILE_q1="/var/log/suricata/q1/suricata.log" # SURICATA_LOG_FILE="/var/log/suricata/suricata.log" + +# Run as user/group. +# Do not define if you want to run as root or as the user defined in the yaml config file (run-as). +# The ebuild should have created the dedicated user/group suricata:suricata for you to specify here below. +# SURICATA_USER_q0="suricata" +# SURICATA_GROUP_q0="suricata" +# SURICATA_USER_q1="suricata" +# SURICATA_GROUP_q1="suricata" +# SURICATA_USER="suricata" +# SURICATA_GROUP="suricata" diff --git a/net-analyzer/suricata/files/suricata-3.2-init b/net-analyzer/suricata/files/suricata-3.2-init index 1717dbb32729..b276f4901bb1 100644 --- a/net-analyzer/suricata/files/suricata-3.2-init +++ b/net-analyzer/suricata/files/suricata-3.2-init @@ -13,13 +13,19 @@ if [ -n "${SURICATA}" ] && [ ${SVCNAME} != "suricata" ]; then SURICATAPID="/var/run/suricata/suricata.${SURICATA}.pid" eval SURICATAOPTS=\$SURICATA_OPTS_${SURICATAID} eval SURICATALOGPATH=\$SURICATA_LOG_FILE_${SURICATAID} + eval SURICATAUSER=\$SURICATA_USER_${SURICATAID} + eval SURICATAGROUP=\$SURICATA_GROUP_${SURICATAID} else SURICATACONF=${SURICATA_CONF} [ ${#SURICATACONF} -eq 0 ] && SURICATACONF="${SURICATA_DIR}/suricata.yaml" || SURICATACONF="${SURICATA_DIR}/${SURICATACONF}" SURICATAPID="/var/run/suricata/suricata.pid" SURICATAOPTS=${SURICATA_OPTS} SURICATALOGPATH=${SURICATA_LOG_FILE} + SURICATAUSER=${SURICATA_USER} + SURICATAGROUP=${SURICATA_GROUP} fi +SURICATAUSER=${SURICATAUSER:-${SURICATA_USER}} +SURICATAGROUP=${SURICATAGROUP:-${SURICATA_GROUP}} [ -e ${SURICATACONF} ] && SURICATAOPTS="${SURICATAOPTS} -c ${SURICATACONF}" description="Suricata IDS/IPS" @@ -37,11 +43,6 @@ depend() { } checkconfig() { - if [ ! -e ${SURICATACONF} ] ; then - einfo "The configuration file ${SURICATACONF} was not found." - einfo "If this is OK then make sure you set enough options for ${SVCNAME} in /etc/conf.d/suricata." - einfo "Take a look at the suricata arguments --set and --dump-config." - fi if [ ! -d "/var/run/suricata" ] ; then checkpath -d /var/run/suricata fi @@ -52,9 +53,22 @@ checkconfig() { if [ ! -d "${SURICATALOGPATH}" ] ; then checkpath -d "${SURICATALOGPATH}" fi + if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ] && [ -e "${SURICATALOGPATH}" ]; then + chown ${SURICATAUSER}:${SURICATAGROUP} "${SURICATALOGPATH}" || return 1 + chown ${SURICATAUSER}:${SURICATAGROUP} "${SURICATALOGPATH}"/* >/dev/null 2>&1 3>&1 + fi SURICATAOPTS="${SURICATAOPTS} --set logging.outputs.1.file.filename=${SURICATALOGPATH}/${SURICATALOGFILE}" SURICATALOGPATH="-l ${SURICATALOGPATH}" fi + if [ ! -e ${SURICATACONF} ] ; then + einfo "The configuration file ${SURICATACONF} was not found." + einfo "If this is OK then make sure you set enough options for ${SVCNAME} in /etc/conf.d/suricata." + einfo "Take a look at the suricata arguments --set and --dump-config." + fi + if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ]; then + einfo "${SVCNAME} will run as user ${SURICATAUSER}:${SURICATAGROUP}." + SURICATAOPTS="${SURICATAOPTS} --user=${SURICATAUSER} --group=${SURICATAGROUP}" + fi } initpidinfo() { @@ -77,8 +91,7 @@ checkpidinfo() { eerror "Unable to determine user running ${SVCNAME}!" return 1 elif [ "x${SUR_USER}" != "xroot" ]; then - eerror "${SVCNAME} must be running as root for reload or relog to work!" - return 1 + ewarn "${SVCNAME} may need to be running as root or as a priviledged user for the extra commands reload and relog to work." fi } @@ -135,7 +148,11 @@ reload() { checkpidinfo || return 1 checkconfig || return 1 ebegin "Sending USR2 signal to ${SVCNAME} to perform a live rule and config reload." - start-stop-daemon --signal USR2 --pidfile ${SURICATAPID} + if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ]; then + start-stop-daemon --user ${SURICATAUSER} --group ${SURICATAGROUP} --signal USR2 --pidfile ${SURICATAPID} + else + start-stop-daemon --signal USR2 --pidfile ${SURICATAPID} + fi eend $? } @@ -143,7 +160,11 @@ relog() { checkpidinfo || return 1 checkconfig || return 1 ebegin "Sending HUP signal to ${SVCNAME} to close and re-open all log files." - start-stop-daemon --signal HUP --pidfile ${SURICATAPID} + if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ]; then + start-stop-daemon --user ${SURICATAUSER} --group ${SURICATAGROUP} --signal HUP --pidfile ${SURICATAPID} + else + start-stop-daemon --signal HUP --pidfile ${SURICATAPID} + fi eend $? } diff --git a/net-analyzer/suricata/suricata-3.2-r1.ebuild b/net-analyzer/suricata/suricata-3.2-r1.ebuild index 816a69d13a89..ee724a581968 100644 --- a/net-analyzer/suricata/suricata-3.2-r1.ebuild +++ b/net-analyzer/suricata/suricata-3.2-r1.ebuild @@ -34,6 +34,7 @@ DEPEND=" nfqueue? ( net-libs/libnetfilter_queue ) redis? ( dev-libs/hiredis ) logrotate? ( app-admin/logrotate ) + sys-libs/libcap-ng " # #446814 # prelude? ( dev-libs/libprelude ) @@ -119,8 +120,6 @@ src_install() { dodir "/var/lib/${PN}" dodir "/var/log/${PN}" - dodir "/var/log/${PN}" \ - "/var/lib/${PN}" fowners -R ${PN}: "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}" fperms 750 "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}" @@ -151,7 +150,7 @@ pkg_postinst() { elog "You can create as many ${PN}.foo* services as you wish." if use logrotate; then - elog "You enabled the logrotate USE flag. Please make sure you correctly set up the ${PN} logortate config file in /etc/logrotate.d/." + elog "You enabled the logrotate USE flag. Please make sure you correctly set up the ${PN} logrotate config file in /etc/logrotate.d/." fi if use debug; then -- cgit v1.2.3-65-gdbad