Suricata -T test fails silently (exit code 1)

src built Suricata 6.0.5 | Ubuntu 20.04 | myricom SNF capture card
I’ve been troubleshooting a setup designed to run as an unprivileged user(suricata).
This deployment utilizes a myricom(SNF) capture card(libpcap/snf bits)
Additionally, this install is configured in suricata.yaml as run-as: suricata/suricata.

The self tests were first noticed failing using suricata-update. When run directly, the suricata self-test also fails as the suricata user, but does so silently(exit code 1 with no displayed error).

suricata@hostname:/usr/local/etc/suricata$ strace /usr/local/bin/suricata -T -l /tmp/ -c /usr/local/etc/suricata/suricata.yaml -S /usr/local/var/lib/suricata/rules/suricata.rules
[...]
getrandom("\xff\xbe\x31\x32\xe2\x0c\xf7\x4b", 8, 0) = 8
getrandom("\x86\x8b\xab\x99\x4d\x1a\x17\xc0", 8, 0) = 8
gettid()                                = 143863
sendto(3, "<31>Jul  6 19:05:04 suricata: [1"..., 96, MSG_NOSIGNAL, NULL, 0) = 96
gettid()                                = 143863
sendto(3, "<31>Jul  6 19:05:04 suricata: [1"..., 96, MSG_NOSIGNAL, NULL, 0) = 96
gettid()                                = 143863
sendto(3, "<31>Jul  6 19:05:04 suricata: [1"..., 81, MSG_NOSIGNAL, NULL, 0) = 81
gettid()                                = 143863
sendto(3, "<31>Jul  6 19:05:04 suricata: [1"..., 93, MSG_NOSIGNAL, NULL, 0) = 93
capget({version=0 /* _LINUX_CAPABILITY_VERSION_??? */, pid=0}, NULL) = 0
gettid()                                = 143863
openat(AT_FDCWD, "/proc/sys/kernel/cap_last_cap", O_RDONLY) = 4
read(4, "37\n", 7)                      = 3
close(4)                                = 0
prctl(PR_SET_KEEPCAPS, 1)               = 0
capset({version=_LINUX_CAPABILITY_VERSION_3, pid=143863}, {effective=1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP, permitted=1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP, inheritable=0}) = -1 EPERM (Operation not permitted)
gettid()                                = 143863
sendto(3, "<27>Jul  6 19:05:04 suricata: [1"..., 119, MSG_NOSIGNAL, NULL, 0) = 119
exit_group(1)                           = ?
6/7/2022 -- 19:05:04 - <Info> - Running suricata under test mode
+++ exited with 1 +++

This leads me to believe it is a problem with the suricata run-as utilizing set_guid or similar as a nonprivileged user. The error seems to go away if it is executed as root or the run-as: declarations are removed.

The goal is to run all functions as a nonprivileged user. For now I suppose a sidestep might be to explicitly allow sudo suricata execution? Open to other suggestions.
Filesystem permissions appear to be correct.

I would expect at minimum the self test to error out with a more friendly message on permissions issue related to execution.

It appears the root cause is if you set run-as: in the suricata.yaml. Running suricata with this config attempts to setuid to the run-as user, which the unprivileged user may not have.

I was able to sidestep this by expanding the capabilities of the suricata user to execute via sudo, and modification of the test-command to include sudo. Another option was to declare the run-as user as a flag and remove the config option.

An error instead of silent exit 1 would of course continue to be preferable for troubleshooting.