Re: Trying to develop a systemd snort script, running into errors removing/creating pid files

["Josh Rosenbaum (jrosenba)" <jrosenba () cisco com>]

Hi Tony,

The pid file is created before Snort drops its permission to the level provided by the ‘-u’ option.   So, in this case, 
the pid file is created with superuser permissions.  Then, snort drops its permission level to the ‘snort’ user.  
Finally, when exiting, Snort does not elevate its permissions back to the superuser.  So, the ‘snort’ user attempts to 
delete the pid file created and owned by superuser.  The result is the error that you mentioned.

I have created a bug in our system for this problem.

Josh


From: Tony Robinson <deusexmachina667 () gmail com<mailto:deusexmachina667 () gmail com>>
Date: Thursday, October 23, 2014 at 9:00 AM
To: "snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>" <snort-users () lists 
sourceforge net<mailto:snort-users () lists sourceforge net>>, mailinglist mailinglist <snort-devel () lists 
sourceforge net<mailto:snort-devel () lists sourceforge net>>
Subject: [Snort-devel] Trying to develop a systemd snort script, running into errors removing/creating pid files

Hello There,

I'm working on an update for autosnort and I figured it was high past time for me to stop half-assing boot persistence 
for Snort via rc.local and make actual init scripts or similar.

So here I am, trying to make a systemd script. The goals are to bring up the network interface in promisc mode, start 
snort, and start barnyard2. The script does that. Rather well. Probably not the way systemd devs want one to do it... 
but we'll cross that bridge later.

My problem comes when I try to kill snort or barnyard2. The kill command works, but there's errors in the logs:

Oct 23 09:38:10 localhost snort[2502]: Could not remove pid file /var/run//snort_ens33.pid: Permission denied
Oct 23 09:38:10 localhost snort[2502]: Snort exiting

Barnyard2 doesn't seem to care that it can't remove the pid file and that's fine, I suppose, because restarting 
Snort/Barnyard2 seem to work fine:

Oct 23 09:45:38 localhost snort[2912]: Checking PID path...
Oct 23 09:45:38 localhost snort[2912]: PID path stat checked out ok, PID path set to /var/run/
Oct 23 09:45:38 localhost snort[2912]: Writing PID "2912" to file "/var/run//snort_ens33.pid"

Oct 23 09:45:43 localhost barnyard2[2915]: PID path stat checked out ok, PID path set to /var/run/
Oct 23 09:45:43 localhost barnyard2[2915]: Writing PID "2915" to file "/var/run//barnyard2_ens33.pid"

Here are the options I use to start snort:
snort -D -u snort -g snort -c /opt/snort/etc/snort.conf -i ens33

Here are the options I use to start barnyard2:
barnyard2 -c /opt/snort/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -D

I know a lot of stuff changed in centOS 7. I noticed that one of them was that /var/run is now a symlink to /run. What 
would cause Snort/BY2 to have permissions to follow the pid file and write their pids, but then not have permissions to 
remove the pid file after execution has stopped?

I've attached the systemd script I wrote as well.

------------------------------------------------------------------------------

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!