src built Suricata 6.0.5 | Ubuntu 20.04 | myricom SNF capture card
I’ve been troubleshooting a setup designed to run as an unprivileged user(suricata).
This deployment utilizes a myricom(SNF) capture card(libpcap/snf bits)
Additionally, this install is configured in suricata.yaml as run-as: suricata/suricata.
The self tests were first noticed failing using suricata-update. When run directly, the suricata self-test also fails as the suricata user, but does so silently(exit code 1 with no displayed error).
suricata@hostname:/usr/local/etc/suricata$ strace /usr/local/bin/suricata -T -l /tmp/ -c /usr/local/etc/suricata/suricata.yaml -S /usr/local/var/lib/suricata/rules/suricata.rules
[...]
getrandom("\xff\xbe\x31\x32\xe2\x0c\xf7\x4b", 8, 0) = 8
getrandom("\x86\x8b\xab\x99\x4d\x1a\x17\xc0", 8, 0) = 8
gettid() = 143863
sendto(3, "<31>Jul 6 19:05:04 suricata: [1"..., 96, MSG_NOSIGNAL, NULL, 0) = 96
gettid() = 143863
sendto(3, "<31>Jul 6 19:05:04 suricata: [1"..., 96, MSG_NOSIGNAL, NULL, 0) = 96
gettid() = 143863
sendto(3, "<31>Jul 6 19:05:04 suricata: [1"..., 81, MSG_NOSIGNAL, NULL, 0) = 81
gettid() = 143863
sendto(3, "<31>Jul 6 19:05:04 suricata: [1"..., 93, MSG_NOSIGNAL, NULL, 0) = 93
capget({version=0 /* _LINUX_CAPABILITY_VERSION_??? */, pid=0}, NULL) = 0
gettid() = 143863
openat(AT_FDCWD, "/proc/sys/kernel/cap_last_cap", O_RDONLY) = 4
read(4, "37\n", 7) = 3
close(4) = 0
prctl(PR_SET_KEEPCAPS, 1) = 0
capset({version=_LINUX_CAPABILITY_VERSION_3, pid=143863}, {effective=1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP, permitted=1<<CAP_SETGID|1<<CAP_SETUID|1<<CAP_SETPCAP, inheritable=0}) = -1 EPERM (Operation not permitted)
gettid() = 143863
sendto(3, "<27>Jul 6 19:05:04 suricata: [1"..., 119, MSG_NOSIGNAL, NULL, 0) = 119
exit_group(1) = ?
6/7/2022 -- 19:05:04 - <Info> - Running suricata under test mode
+++ exited with 1 +++
This leads me to believe it is a problem with the suricata run-as utilizing set_guid or similar as a nonprivileged user. The error seems to go away if it is executed as root or the run-as: declarations are removed.
The goal is to run all functions as a nonprivileged user. For now I suppose a sidestep might be to explicitly allow sudo suricata execution? Open to other suggestions.
Filesystem permissions appear to be correct.
I would expect at minimum the self test to error out with a more friendly message on permissions issue related to execution.