/tmp/tmpm296mhk5/fast.log\ permission denied

a_m · September 6, 2024, 10:29am

hello ,
i can’t execute the following script :

sudo suricata-update
#on copie les règles dans le bon dossier
sudo cp -r /usr/var/lib/suricata/rules/suricata.rules /usr/share/suricata/rules/suricata.rules
#on associe les accès du dossier à un bon utilisateur
sudo chown -R suricata:suricata /usr/var/lib/suricata/rules
sudo chown -R suricata:suricata /usr/share/suricata/rules/
#on associe les bonnes persmissions
sudo chmod 755 /usr/var/lib/suricata/rules/suricata.rules
#on redémarre correctement les services avec le redémarrage de tous les démons qui sont des programmes tournant en arrière plan comme sous windows, que l'on peut aussi appeler des services
sudo systemctl daemon-reload && sudo systemctl restart suricata.service

without having this error :

rging-deleted.rules
6/9/2024 -- 12:24:47 - <Info> -- Loaded 52443 rules.
6/9/2024 -- 12:24:47 - <Info> -- Disabled 5 rules.
6/9/2024 -- 12:24:47 - <Info> -- Enabled 0 rules.
6/9/2024 -- 12:24:47 - <Info> -- Modified 0 rules.
6/9/2024 -- 12:24:47 - <Info> -- Dropped 0 rules.
6/9/2024 -- 12:24:48 - <Info> -- Enabled 136 rules for flowbit dependencies.
6/9/2024 -- 12:24:48 - <Info> -- Backing up current rules.
6/9/2024 -- 12:24:50 - <Info> -- Writing rules to /usr/var/lib/suricata/rules/suricata.rules: total: 52443; enabled: 39802; added: 42; removed 2; modified: 1169
6/9/2024 -- 12:24:50 - <Info> -- Writing /usr/var/lib/suricata/rules/classification.config
6/9/2024 -- 12:24:51 - <Info> -- Testing with suricata -T.
{"timestamp":"2024-09-06T12:24:51.185556+0200","log_level":"Error","event_type":"engine","engine":{"message":"Error opening file: \"/tmp/tmpi791hebg/fast.log\": Permission denied","thread_name":"Suricata-Main","module":"logopenfile"}}
{"timestamp":"2024-09-06T12:24:51.185861+0200","log_level":"Error","event_type":"engine","engine":{"message":"output module \"fast\": setup failed","thread_name":"Suricata-Main","module":"runmodes"}}
6/9/2024 -- 12:24:51 - <Error> -- Suricata test failed, aborting.
6/9/2024 -- 12:24:51 - <Error> -- Restoring previous rules.
alexandre@alexandre-developpeur:~/Documents$

why ?i wrote this : sudo setfacl -m u:suricata:rwx /tmp

best regards

ish · September 6, 2024, 1:48pm

Do you have Suricata configured to run as a non-root user with run-as in your suricata.yaml?

a_m · September 15, 2024, 8:59pm

normally yes but I’m reinstalling everything

a_m · September 18, 2024, 2:23pm

I still have the problem, the installation script for suricata is as follows : ./scripts/bundle.sh ./autogen.sh \ autoreconf -i \ sudo chmod +x ./autogen.sh ./configure --prefix=/usr/ --bindir=/usr/bin/ --sbindir=/usr/sbin/ --libdir=/usr/lib/ --sysconfdir=/etc/ --enable-python --enable-debug --enable-unittests --enable-ebpf-build --enable-geoip --enable-af-packet --enable-nflog --with-libpcap-includes=/usr/local/include --with-libpcap-libraries=/usr/lib/x86_64-linux-gnu/ --with-libhtp-includes=/usr/local/include/htp --with-libhtp-libraries=/usr/lib --with-libyaml-libraries=/usr/lib/x86_64-linux-gnu --enable-nfqueue \ && cargo install --force cbindgen && sudo make -j10 && sudo make install-full, and then i put this in shell :

 sudo chmod -R 750  /usr/bin/share/doc/suricata
sudo chmod -R 750  /usr/bin/share/suricata
sudo chmod -R 750  /usr/bin/lib/suricata
sudo chmod -R 750  /usr/bin/var/run/suricata
sudo chmod -R 750  /usr/bin/var/lib/suricata
sudo chmod -R 750  /usr/bin/suricata
sudo chmod -R 750  /usr/share/doc/suricata
sudo chmod -R 750  /usr/share/suricata
sudo chmod -R 750  /usr/lib/suricata
sudo chmod -R 750  /usr/lib/suricata/python/suricata
sudo chmod -R 750  /usr/var/run/suricata
sudo chmod -R 750 /usr/var/lib/suricata
sudo chmod -R 750 /usr/var/log/suricata
sudo chmod -R 750 /usr/local/share/doc/suricata
sudo chmod -R 750  /usr/local/share/suricata
sudo chmod -R 750 /usr/local/lib/suricata
sudo chmod -R 750 /usr/local/var/run/suricata
sudo chmod -R 750  /usr/local/var/lib/suricata
sudo chmod -R 750 /usr/local/var/log/suricata
sudo chmod -R 750 /usr/local/etc/suricata


sudo chown -R suricata:suricata   /usr/bin/share/doc/suricata
sudo chown -R suricata:suricata   /usr/bin/share/suricata
sudo chown -R suricata:suricata   /usr/bin/lib/suricata
sudo chown -R suricata:suricata   /usr/bin/var/run/suricata
sudo chown -R suricata:suricata   /usr/bin/var/lib/suricata
sudo chown -R suricata:suricata   /usr/bin/suricata
sudo chown -R suricata:suricata   /usr/share/doc/suricata
sudo chown -R suricata:suricata   /usr/share/suricata
sudo chown -R suricata:suricata   /usr/lib/suricata
sudo chown -R suricata:suricata   /usr/lib/suricata/python/suricata
sudo chown -R suricata:suricata   /usr/var/run/suricata
sudo chown -R suricata:suricata  /usr/var/lib/suricata
sudo chown -R suricata:suricata  /usr/var/log/suricata
sudo chown -R suricata:suricata  /usr/local/share/doc/suricata
sudo chown -R suricata:suricata  /usr/local/share/suricata
sudo chown -R suricata:suricata  /usr/local/lib/suricata
sudo chown -R suricata:suricata  /usr/local/var/run/suricata
sudo chown -R suricata:suricata   /usr/local/var/lib/suricata
sudo chown -R suricata:suricata  /usr/local/var/log/suricata
sudo chown -R suricata:suricata /usr/local/etc/suricata

sudo setcap cap_net_admin,cap_net_raw,cap_sys_nice+eip /usr/bin/suricata`

the content of my daemon configuration is :

[Unit]
Description=Suricata IDS/IPS service
After=network.target

[Service]
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml -q 0
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
User=suricata
Group=suricata
WorkingDirectory=/usr/suricata
PIDFile=/run/suricata.pid
LimitNOFILE=65536
StandardOutput=file:/var/log/suricata/suricata.log
StandardError=file:/var/log/suricata/suricata_error.log


[Install]
WantedBy=multi-user.target

Is this a missing right that I need to add to user and group suricata? and my script to update rules is:

 sudo suricata-update
#on copie les règles dans le bon dossier
sudo cp -r /usr/var/lib/suricata/rules/suricata.rules /usr/share/suricata/rules/suricata.rules
#on associe les accès du dossier à un bon utilisateur
sudo chown -R suricata:suricata /usr/var/lib/suricata/rules
sudo chown -R suricata:suricata /usr/share/suricata/rules/
#on associe les bonnes persmissions
sudo chmod 755 /usr/var/lib/suricata/rules/suricata.rules
#on redémarre correctement les services avec le redémarrage de tous les démons qui sont des programmes tournant en arrière plan comme sous windows, que l'on peut aussi appeler des services
sudo systemctl daemon-reload && sudo systemctl restart suricata.service

and the result is :

18/9/2024 -- 16:28:03 - <Info> -- Writing /usr/var/lib/suricata/rules/classification.config
18/9/2024 -- 16:28:03 - <Info> -- Testing with suricata -T.
{"timestamp":"2024-09-18T16:28:03.537904+0200","log_level":"Error","event_type":"engine","engine":{"message":"Error opening file: \"/tmp/tmp7zr9r6wc/fast.log\": Permission denied","thread_name":"Suricata-Main","module":"logopenfile"}}
{"timestamp":"2024-09-18T16:28:03.538271+0200","log_level":"Error","event_type":"engine","engine":{"message":"output module \"fast\": setup failed","thread_name":"Suricata-Main","module":"runmodes"}}
18/9/2024 -- 16:28:03 - <Error> -- Suricata test failed, aborting.
18/9/2024 -- 16:28:03 - <Error> -- Restoring previous rules.
alexandre@alexandre-developpeur:~/Documents$
``` and i've this in /etc/suricata/suricata.yaml :

in my /etc/suricata.yaml:

Run Suricata with a specific user-id and group-id:

run-as:
user: suricata
group: suricata

a_m · September 18, 2024, 9:04pm

ok i reinstalled suricata with this script , and no more problem :

 ./scripts/bundle.sh
./autogen.sh \
autoreconf -i \
sudo chmod +x ./autogen.sh
 ./configure --prefix=/usr/            --bindir=/usr/bin/            --sbindir=/usr/sbin/            --libdir=/usr/lib/             --sysconfdir=/etc/             --enable-python             --enable-debug             --enable-unittests             --enable-ebpf-build             --enable-geoip             --enable-af-packet             --enable-nflog             --with-libpcap-includes=/usr/local/include             --with-libpcap-libraries=/usr/lib/x86_64-linux-gnu/             --with-libhtp-includes=/usr/local/include/htp  --with-libhtp-libraries=/usr/lib --with-libyaml-libraries=/usr/lib/x86_64-linux-gnu --enable-nfqueue  \
  &&  cargo install --force cbindgen  && sudo make -j10 && sudo make install-full

a_m · September 21, 2024, 12:59pm

no i’ve stilll the same problem

a_m · September 24, 2024, 11:02am

iI must regularly reinstall suricata,here my configurations

alexandre@alexandre-developpeur:~$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 24.04.1 LTS
Release:	24.04
Codename:	noble
alexandre@alexandre-developpeur:~$ uname -r
6.9.9-060909-generic
alexandre@alexandre-developpeur:~$

a_m · October 4, 2024, 2:40pm

the file doesn’t exist in tmp directory
regards

a_m · October 12, 2024, 6:35pm

vidéo démonstration :Capture vidéo du 2024-10-12 20-31-35.webm - Google Drive

Topic		Replies	Views
[ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "C:\\Program Files\\Suricata\\log/fast.log": Permission denied Help suricata	4	2298	February 15, 2023
Suricata-update ERRCODE: when suricata -T runs Rules	7	1952	February 22, 2023
Permissions in /var/lib/suricata to update rules as suricata user Help rules	2	274	April 6, 2024
Suricata-update fails with permissions error to temp file Help suricata-update	1	91	June 21, 2024
Suricata-update aborts with permission error Help suricata-update	5	797	July 31, 2023

/tmp/tmpm296mhk5/fast.log\ permission denied

Run Suricata with a specific user-id and group-id:

Related topics