I have had a setup with Suricata 7.x which was installed from the PPA in Ubuntu. This version of Suricata ran as root by default, and I have built a toolchain around Suricata.
Suricata 8.0 has been released, which is great! However, it seems to want to run as non-root user by default, and that breaks a lot of things in my setup. My workaround to run Suricata as root is to remove ‘–user suricata –group suricata’ from the systemd descriptor file, and add:
User=root
What is the reason Suricata does not run as root anymore, and is there an easier fix? A different package name to install, for example.
I have tried adjusting the run-assection in the configuration file, but this did not work. Do the command line switches –-user and –-group override what is configured in suricata.yaml? If so, this option does not solve the issue because the command line switches are included in the shipped systemd file.
If systemd does not start Suricata as root, I can imagine that the run-as section will not help much. Suricata might not have the privileges to change its user to root if it was not started as root.
I’m currently doing some work to package Suricata 8 for Debian and I’m struggling with a same kind of issue, so I found this thread.
Suricata must be started as root first and can then drop its privileges [1]. Given that, the –user suricata –group suricata in the systemd service file might be the wrong way doing that, because this would already start Suricata as non-root. Instead as Andreas said, remove both options in the systemd service file (you can use systemd override files) and set the run-asin suricata.yaml. This worked well for me.
But: When running as non-root, Suricata needs write access to /var/run/suricata to create the unix command socket there. This folder permissions can be set during package installation (postinst), but after a reboot /var/run/will be cleared because it’s on a tmpfs. Did you already find a way to recreate /var/run/suricata with correct permissions after a reboot?
This should be fine with systemd, the RPM has done this for years.
What you want to avoid is the systemd unit file parameters that start the service as non-root, then systemd starts it as non-root and Suricata can’t do the setup it needs before dropping privileges.