Snort mailing list archives
Re: Trying to develop a systemd snort script, running into errors removing/creating pid files
From: "Josh Rosenbaum (jrosenba)" <jrosenba () cisco com>
Date: Thu, 23 Oct 2014 19:31:26 +0000
Hi Tony, The pid file is created before Snort drops its permission to the level provided by the ‘-u’ option. So, in this case, the pid file is created with superuser permissions. Then, snort drops its permission level to the ‘snort’ user. Finally, when exiting, Snort does not elevate its permissions back to the superuser. So, the ‘snort’ user attempts to delete the pid file created and owned by superuser. The result is the error that you mentioned. I have created a bug in our system for this problem. Josh From: Tony Robinson <deusexmachina667 () gmail com<mailto:deusexmachina667 () gmail com>> Date: Thursday, October 23, 2014 at 9:00 AM To: "snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>" <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>>, mailinglist mailinglist <snort-devel () lists sourceforge net<mailto:snort-devel () lists sourceforge net>> Subject: [Snort-devel] Trying to develop a systemd snort script, running into errors removing/creating pid files Hello There, I'm working on an update for autosnort and I figured it was high past time for me to stop half-assing boot persistence for Snort via rc.local and make actual init scripts or similar. So here I am, trying to make a systemd script. The goals are to bring up the network interface in promisc mode, start snort, and start barnyard2. The script does that. Rather well. Probably not the way systemd devs want one to do it... but we'll cross that bridge later. My problem comes when I try to kill snort or barnyard2. The kill command works, but there's errors in the logs: Oct 23 09:38:10 localhost snort[2502]: Could not remove pid file /var/run//snort_ens33.pid: Permission denied Oct 23 09:38:10 localhost snort[2502]: Snort exiting Barnyard2 doesn't seem to care that it can't remove the pid file and that's fine, I suppose, because restarting Snort/Barnyard2 seem to work fine: Oct 23 09:45:38 localhost snort[2912]: Checking PID path... Oct 23 09:45:38 localhost snort[2912]: PID path stat checked out ok, PID path set to /var/run/ Oct 23 09:45:38 localhost snort[2912]: Writing PID "2912" to file "/var/run//snort_ens33.pid" Oct 23 09:45:43 localhost barnyard2[2915]: PID path stat checked out ok, PID path set to /var/run/ Oct 23 09:45:43 localhost barnyard2[2915]: Writing PID "2915" to file "/var/run//barnyard2_ens33.pid" Here are the options I use to start snort: snort -D -u snort -g snort -c /opt/snort/etc/snort.conf -i ens33 Here are the options I use to start barnyard2: barnyard2 -c /opt/snort/etc/barnyard2.conf -d /var/log/snort -f snort.u2 -w /var/log/snort/barnyard2.waldo -D I know a lot of stuff changed in centOS 7. I noticed that one of them was that /var/run is now a symlink to /run. What would cause Snort/BY2 to have permissions to follow the pid file and write their pids, but then not have permissions to remove the pid file after execution has stopped? I've attached the systemd script I wrote as well.
------------------------------------------------------------------------------
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Trying to develop a systemd snort script, running into errors removing/creating pid files Tony Robinson (Oct 23)
- Re: [Snort-users] Trying to develop a systemd snort script, running into errors removing/creating pid files Shirkdog (Oct 23)
- Re: Trying to develop a systemd snort script, running into errors removing/creating pid files Josh Rosenbaum (jrosenba) (Oct 23)
- Re: Trying to develop a systemd snort script, running into errors removing/creating pid files Robert Millott (Oct 27)