summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSlawomir Lis <slis@gentoo.org>2016-12-28 13:59:11 +0100
committerSlawomir Lis <slis@gentoo.org>2016-12-28 13:59:11 +0100
commit2c174cb604c2c99f9d9e8ac4fab438d0aedf7ab1 (patch)
tree07a40b5c10fbee817bfa9cd05adc0f11958580b2 /net-analyzer/suricata
parentdev-lang/polyml: Bump to 5.6 (diff)
downloadgentoo-2c174cb604c2c99f9d9e8ac4fab438d0aedf7ab1.tar.gz
gentoo-2c174cb604c2c99f9d9e8ac4fab438d0aedf7ab1.tar.bz2
gentoo-2c174cb604c2c99f9d9e8ac4fab438d0aedf7ab1.zip
net-analyzer/suricata: Dropping user privs in init script
Bug #602590 Package-Manager: Portage-2.3.3, Repoman-2.3.1
Diffstat (limited to 'net-analyzer/suricata')
-rw-r--r--net-analyzer/suricata/files/suricata-3.2-conf12
-rw-r--r--net-analyzer/suricata/files/suricata-3.2-init39
-rw-r--r--net-analyzer/suricata/suricata-3.2-r1.ebuild5
3 files changed, 43 insertions, 13 deletions
diff --git a/net-analyzer/suricata/files/suricata-3.2-conf b/net-analyzer/suricata/files/suricata-3.2-conf
index fc6885d25309..d8466b43fb34 100644
--- a/net-analyzer/suricata/files/suricata-3.2-conf
+++ b/net-analyzer/suricata/files/suricata-3.2-conf
@@ -29,7 +29,7 @@
# SURICATA_CONF="suricata.yaml"
# You can define the options here:
-# NB: avoid using -l, -c and setting logging.outputs.1.file.filename as the init script will try to set them for you.
+# NB: avoid using -l, -c, --user, --group and setting logging.outputs.1.file.filename as the init script will try to set them for you.
# SURICATA_OPTS_q0="-q 0"
# SURICATA_OPTS_q1="-q 1"
@@ -44,3 +44,13 @@ SURICATA_OPTS="-i eth0"
# SURICATA_LOG_FILE_q0="/var/log/suricata/q0/suricata.log"
# SURICATA_LOG_FILE_q1="/var/log/suricata/q1/suricata.log"
# SURICATA_LOG_FILE="/var/log/suricata/suricata.log"
+
+# Run as user/group.
+# Do not define if you want to run as root or as the user defined in the yaml config file (run-as).
+# The ebuild should have created the dedicated user/group suricata:suricata for you to specify here below.
+# SURICATA_USER_q0="suricata"
+# SURICATA_GROUP_q0="suricata"
+# SURICATA_USER_q1="suricata"
+# SURICATA_GROUP_q1="suricata"
+# SURICATA_USER="suricata"
+# SURICATA_GROUP="suricata"
diff --git a/net-analyzer/suricata/files/suricata-3.2-init b/net-analyzer/suricata/files/suricata-3.2-init
index 1717dbb32729..b276f4901bb1 100644
--- a/net-analyzer/suricata/files/suricata-3.2-init
+++ b/net-analyzer/suricata/files/suricata-3.2-init
@@ -13,13 +13,19 @@ if [ -n "${SURICATA}" ] && [ ${SVCNAME} != "suricata" ]; then
SURICATAPID="/var/run/suricata/suricata.${SURICATA}.pid"
eval SURICATAOPTS=\$SURICATA_OPTS_${SURICATAID}
eval SURICATALOGPATH=\$SURICATA_LOG_FILE_${SURICATAID}
+ eval SURICATAUSER=\$SURICATA_USER_${SURICATAID}
+ eval SURICATAGROUP=\$SURICATA_GROUP_${SURICATAID}
else
SURICATACONF=${SURICATA_CONF}
[ ${#SURICATACONF} -eq 0 ] && SURICATACONF="${SURICATA_DIR}/suricata.yaml" || SURICATACONF="${SURICATA_DIR}/${SURICATACONF}"
SURICATAPID="/var/run/suricata/suricata.pid"
SURICATAOPTS=${SURICATA_OPTS}
SURICATALOGPATH=${SURICATA_LOG_FILE}
+ SURICATAUSER=${SURICATA_USER}
+ SURICATAGROUP=${SURICATA_GROUP}
fi
+SURICATAUSER=${SURICATAUSER:-${SURICATA_USER}}
+SURICATAGROUP=${SURICATAGROUP:-${SURICATA_GROUP}}
[ -e ${SURICATACONF} ] && SURICATAOPTS="${SURICATAOPTS} -c ${SURICATACONF}"
description="Suricata IDS/IPS"
@@ -37,11 +43,6 @@ depend() {
}
checkconfig() {
- if [ ! -e ${SURICATACONF} ] ; then
- einfo "The configuration file ${SURICATACONF} was not found."
- einfo "If this is OK then make sure you set enough options for ${SVCNAME} in /etc/conf.d/suricata."
- einfo "Take a look at the suricata arguments --set and --dump-config."
- fi
if [ ! -d "/var/run/suricata" ] ; then
checkpath -d /var/run/suricata
fi
@@ -52,9 +53,22 @@ checkconfig() {
if [ ! -d "${SURICATALOGPATH}" ] ; then
checkpath -d "${SURICATALOGPATH}"
fi
+ if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ] && [ -e "${SURICATALOGPATH}" ]; then
+ chown ${SURICATAUSER}:${SURICATAGROUP} "${SURICATALOGPATH}" || return 1
+ chown ${SURICATAUSER}:${SURICATAGROUP} "${SURICATALOGPATH}"/* >/dev/null 2>&1 3>&1
+ fi
SURICATAOPTS="${SURICATAOPTS} --set logging.outputs.1.file.filename=${SURICATALOGPATH}/${SURICATALOGFILE}"
SURICATALOGPATH="-l ${SURICATALOGPATH}"
fi
+ if [ ! -e ${SURICATACONF} ] ; then
+ einfo "The configuration file ${SURICATACONF} was not found."
+ einfo "If this is OK then make sure you set enough options for ${SVCNAME} in /etc/conf.d/suricata."
+ einfo "Take a look at the suricata arguments --set and --dump-config."
+ fi
+ if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ]; then
+ einfo "${SVCNAME} will run as user ${SURICATAUSER}:${SURICATAGROUP}."
+ SURICATAOPTS="${SURICATAOPTS} --user=${SURICATAUSER} --group=${SURICATAGROUP}"
+ fi
}
initpidinfo() {
@@ -77,8 +91,7 @@ checkpidinfo() {
eerror "Unable to determine user running ${SVCNAME}!"
return 1
elif [ "x${SUR_USER}" != "xroot" ]; then
- eerror "${SVCNAME} must be running as root for reload or relog to work!"
- return 1
+ ewarn "${SVCNAME} may need to be running as root or as a priviledged user for the extra commands reload and relog to work."
fi
}
@@ -135,7 +148,11 @@ reload() {
checkpidinfo || return 1
checkconfig || return 1
ebegin "Sending USR2 signal to ${SVCNAME} to perform a live rule and config reload."
- start-stop-daemon --signal USR2 --pidfile ${SURICATAPID}
+ if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ]; then
+ start-stop-daemon --user ${SURICATAUSER} --group ${SURICATAGROUP} --signal USR2 --pidfile ${SURICATAPID}
+ else
+ start-stop-daemon --signal USR2 --pidfile ${SURICATAPID}
+ fi
eend $?
}
@@ -143,7 +160,11 @@ relog() {
checkpidinfo || return 1
checkconfig || return 1
ebegin "Sending HUP signal to ${SVCNAME} to close and re-open all log files."
- start-stop-daemon --signal HUP --pidfile ${SURICATAPID}
+ if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ]; then
+ start-stop-daemon --user ${SURICATAUSER} --group ${SURICATAGROUP} --signal HUP --pidfile ${SURICATAPID}
+ else
+ start-stop-daemon --signal HUP --pidfile ${SURICATAPID}
+ fi
eend $?
}
diff --git a/net-analyzer/suricata/suricata-3.2-r1.ebuild b/net-analyzer/suricata/suricata-3.2-r1.ebuild
index 816a69d13a89..ee724a581968 100644
--- a/net-analyzer/suricata/suricata-3.2-r1.ebuild
+++ b/net-analyzer/suricata/suricata-3.2-r1.ebuild
@@ -34,6 +34,7 @@ DEPEND="
nfqueue? ( net-libs/libnetfilter_queue )
redis? ( dev-libs/hiredis )
logrotate? ( app-admin/logrotate )
+ sys-libs/libcap-ng
"
# #446814
# prelude? ( dev-libs/libprelude )
@@ -119,8 +120,6 @@ src_install() {
dodir "/var/lib/${PN}"
dodir "/var/log/${PN}"
- dodir "/var/log/${PN}" \
- "/var/lib/${PN}"
fowners -R ${PN}: "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
fperms 750 "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
@@ -151,7 +150,7 @@ pkg_postinst() {
elog "You can create as many ${PN}.foo* services as you wish."
if use logrotate; then
- elog "You enabled the logrotate USE flag. Please make sure you correctly set up the ${PN} logortate config file in /etc/logrotate.d/."
+ elog "You enabled the logrotate USE flag. Please make sure you correctly set up the ${PN} logrotate config file in /etc/logrotate.d/."
fi
if use debug; then