Snort mailing list archives

Re: snort 2.9.0.4 won't daemonize, OpenBSD 4.7

From: Joel Esler <jesler () sourcefire com>
Date: Fri, 8 Apr 2011 17:02:58 -0400

I know there were some corrections made for OpenBSD in 2.9.0.5, try and
upgrade.

Joel

On Fri, Apr 8, 2011 at 4:51 PM, Olaf Schreck <chakl () syscall de> wrote:

Replying to self with a workaround solution, for the archives

snort 2.9.0.4 on OpenBSD 4.7, running fine, but won't daemonize.


Is anyone running snort 2.9 on OpenBSD 4.7 or 4.8 who does NOT have this
problem?

I had a look at the daemonize code in util.c and rebuilt snort with
"CPPFLAGS=-DDEBUG sh configure.sh ..." to see the debug messages.  As
expected, the daemon parent waits for a "child ready" signal that never
arrives while the daemon child claims to have sent it.  Signal is
SIGCONT as defined in snort.h:

    #define SIGNAL_SNORT_CHILD_READY    29

So for some obscure reason, the daemon parent does not see SIGCONT from
the daemon child.  In the OpenBSD manpage for kill(2) I noticed

    Setuid and setgid processes are dealt with slightly differently.
    For the non-root user, to prevent attacks against such processes,
    some signal deliveries are not permitted and return the error
    EPERM.  The following signals are allowed through to this class
    of processes: SIGKILL, SIGINT, SIGTERM, SIGSTOP, SIGTTIN, SIGTTOU,
    SIGTSTP, SIGHUP, SIGUSR1, SIGUSR2.

Since SIGCONT was not mentioned in the list above, I tried changing the
"child-ready" signal to SIGUSR2:

    #define SIGNAL_SNORT_CHILD_READY    31

Works fine as expected.

And no, I did not specify setuid/setgid on the command line or in
snort.conf, and ran it as root.  I have no idea why SIGCONT is filtered
here, but SIGUSR2 is not.

At the
end of the startup messages it says:

    Spawning daemon child...
    My daemon child 3777 lives...
     0x8151dc00*running     15 -c-------f 0000 main

but it doesn't come back to the shell prompt.  I can ^C out and see the
snort child process.  With ^Z, I see 2 snort processes.  Obviously the
parent won't exit while daemonizing.  Any clues why?

The daemonized child runs and alerts just fine.

This happens regardless whether I use -D on the cmdline, "config daemon"
in snort.conf, or both.



------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-- 
Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org |
http://blog.clamav.net
Twitter:  http://twitter.com/snort

------------------------------------------------------------------------------
Xperia(TM) PLAY
It's a major breakthrough. An authentic gaming
smartphone on the nation's most reliable network.
And it wants your games.
http://p.sf.net/sfu/verizon-sfdev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: snort 2.9.0.4 won't daemonize, OpenBSD 4.7 Olaf Schreck (Apr 08)
- Re: snort 2.9.0.4 won't daemonize, OpenBSD 4.7 Joel Esler (Apr 08)