/tmp/tmpm296mhk5/fast.log\ permission denied

Rules
1

hello ,
i can’t execute the following script :

sudo suricata-update
#on copie les règles dans le bon dossier
sudo cp -r /usr/var/lib/suricata/rules/suricata.rules /usr/share/suricata/rules/suricata.rules
#on associe les accès du dossier à un bon utilisateur
sudo chown -R suricata:suricata /usr/var/lib/suricata/rules
sudo chown -R suricata:suricata /usr/share/suricata/rules/
#on associe les bonnes persmissions
sudo chmod 755 /usr/var/lib/suricata/rules/suricata.rules
#on redémarre correctement les services avec le redémarrage de tous les démons qui sont des programmes tournant en arrière plan comme sous windows, que l'on peut aussi appeler des services
sudo systemctl daemon-reload && sudo systemctl restart suricata.service

without having this error :

rging-deleted.rules
6/9/2024 -- 12:24:47 - <Info> -- Loaded 52443 rules.
6/9/2024 -- 12:24:47 - <Info> -- Disabled 5 rules.
6/9/2024 -- 12:24:47 - <Info> -- Enabled 0 rules.
6/9/2024 -- 12:24:47 - <Info> -- Modified 0 rules.
6/9/2024 -- 12:24:47 - <Info> -- Dropped 0 rules.
6/9/2024 -- 12:24:48 - <Info> -- Enabled 136 rules for flowbit dependencies.
6/9/2024 -- 12:24:48 - <Info> -- Backing up current rules.
6/9/2024 -- 12:24:50 - <Info> -- Writing rules to /usr/var/lib/suricata/rules/suricata.rules: total: 52443; enabled: 39802; added: 42; removed 2; modified: 1169
6/9/2024 -- 12:24:50 - <Info> -- Writing /usr/var/lib/suricata/rules/classification.config
6/9/2024 -- 12:24:51 - <Info> -- Testing with suricata -T.
{"timestamp":"2024-09-06T12:24:51.185556+0200","log_level":"Error","event_type":"engine","engine":{"message":"Error opening file: \"/tmp/tmpi791hebg/fast.log\": Permission denied","thread_name":"Suricata-Main","module":"logopenfile"}}
{"timestamp":"2024-09-06T12:24:51.185861+0200","log_level":"Error","event_type":"engine","engine":{"message":"output module \"fast\": setup failed","thread_name":"Suricata-Main","module":"runmodes"}}
6/9/2024 -- 12:24:51 - <Error> -- Suricata test failed, aborting.
6/9/2024 -- 12:24:51 - <Error> -- Restoring previous rules.
alexandre@alexandre-developpeur:~/Documents$

why ?i wrote this : sudo setfacl -m u:suricata:rwx /tmp

best regards

2

Do you have Suricata configured to run as a non-root user with run-as in your suricata.yaml?

3

normally yes but I’m reinstalling everything

4

I still have the problem, the installation script for suricata is as follows : ./scripts/bundle.sh ./autogen.sh \ autoreconf -i \ sudo chmod +x ./autogen.sh ./configure --prefix=/usr/ --bindir=/usr/bin/ --sbindir=/usr/sbin/ --libdir=/usr/lib/ --sysconfdir=/etc/ --enable-python --enable-debug --enable-unittests --enable-ebpf-build --enable-geoip --enable-af-packet --enable-nflog --with-libpcap-includes=/usr/local/include --with-libpcap-libraries=/usr/lib/x86_64-linux-gnu/ --with-libhtp-includes=/usr/local/include/htp --with-libhtp-libraries=/usr/lib --with-libyaml-libraries=/usr/lib/x86_64-linux-gnu --enable-nfqueue \ && cargo install --force cbindgen && sudo make -j10 && sudo make install-full, and then i put this in shell :

 sudo chmod -R 750  /usr/bin/share/doc/suricata
sudo chmod -R 750  /usr/bin/share/suricata
sudo chmod -R 750  /usr/bin/lib/suricata
sudo chmod -R 750  /usr/bin/var/run/suricata
sudo chmod -R 750  /usr/bin/var/lib/suricata
sudo chmod -R 750  /usr/bin/suricata
sudo chmod -R 750  /usr/share/doc/suricata
sudo chmod -R 750  /usr/share/suricata
sudo chmod -R 750  /usr/lib/suricata
sudo chmod -R 750  /usr/lib/suricata/python/suricata
sudo chmod -R 750  /usr/var/run/suricata
sudo chmod -R 750 /usr/var/lib/suricata
sudo chmod -R 750 /usr/var/log/suricata
sudo chmod -R 750 /usr/local/share/doc/suricata
sudo chmod -R 750  /usr/local/share/suricata
sudo chmod -R 750 /usr/local/lib/suricata
sudo chmod -R 750 /usr/local/var/run/suricata
sudo chmod -R 750  /usr/local/var/lib/suricata
sudo chmod -R 750 /usr/local/var/log/suricata
sudo chmod -R 750 /usr/local/etc/suricata


sudo chown -R suricata:suricata   /usr/bin/share/doc/suricata
sudo chown -R suricata:suricata   /usr/bin/share/suricata
sudo chown -R suricata:suricata   /usr/bin/lib/suricata
sudo chown -R suricata:suricata   /usr/bin/var/run/suricata
sudo chown -R suricata:suricata   /usr/bin/var/lib/suricata
sudo chown -R suricata:suricata   /usr/bin/suricata
sudo chown -R suricata:suricata   /usr/share/doc/suricata
sudo chown -R suricata:suricata   /usr/share/suricata
sudo chown -R suricata:suricata   /usr/lib/suricata
sudo chown -R suricata:suricata   /usr/lib/suricata/python/suricata
sudo chown -R suricata:suricata   /usr/var/run/suricata
sudo chown -R suricata:suricata  /usr/var/lib/suricata
sudo chown -R suricata:suricata  /usr/var/log/suricata
sudo chown -R suricata:suricata  /usr/local/share/doc/suricata
sudo chown -R suricata:suricata  /usr/local/share/suricata
sudo chown -R suricata:suricata  /usr/local/lib/suricata
sudo chown -R suricata:suricata  /usr/local/var/run/suricata
sudo chown -R suricata:suricata   /usr/local/var/lib/suricata
sudo chown -R suricata:suricata  /usr/local/var/log/suricata
sudo chown -R suricata:suricata /usr/local/etc/suricata

sudo setcap cap_net_admin,cap_net_raw,cap_sys_nice+eip /usr/bin/suricata`

the content of my daemon configuration is :

[Unit]
Description=Suricata IDS/IPS service
After=network.target

[Service]
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml -q 0
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
User=suricata
Group=suricata
WorkingDirectory=/usr/suricata
PIDFile=/run/suricata.pid
LimitNOFILE=65536
StandardOutput=file:/var/log/suricata/suricata.log
StandardError=file:/var/log/suricata/suricata_error.log


[Install]
WantedBy=multi-user.target

Is this a missing right that I need to add to user and group suricata? and my script to update rules is:

 sudo suricata-update
#on copie les règles dans le bon dossier
sudo cp -r /usr/var/lib/suricata/rules/suricata.rules /usr/share/suricata/rules/suricata.rules
#on associe les accès du dossier à un bon utilisateur
sudo chown -R suricata:suricata /usr/var/lib/suricata/rules
sudo chown -R suricata:suricata /usr/share/suricata/rules/
#on associe les bonnes persmissions
sudo chmod 755 /usr/var/lib/suricata/rules/suricata.rules
#on redémarre correctement les services avec le redémarrage de tous les démons qui sont des programmes tournant en arrière plan comme sous windows, que l'on peut aussi appeler des services
sudo systemctl daemon-reload && sudo systemctl restart suricata.service

and the result is :

18/9/2024 -- 16:28:03 - <Info> -- Writing /usr/var/lib/suricata/rules/classification.config
18/9/2024 -- 16:28:03 - <Info> -- Testing with suricata -T.
{"timestamp":"2024-09-18T16:28:03.537904+0200","log_level":"Error","event_type":"engine","engine":{"message":"Error opening file: \"/tmp/tmp7zr9r6wc/fast.log\": Permission denied","thread_name":"Suricata-Main","module":"logopenfile"}}
{"timestamp":"2024-09-18T16:28:03.538271+0200","log_level":"Error","event_type":"engine","engine":{"message":"output module \"fast\": setup failed","thread_name":"Suricata-Main","module":"runmodes"}}
18/9/2024 -- 16:28:03 - <Error> -- Suricata test failed, aborting.
18/9/2024 -- 16:28:03 - <Error> -- Restoring previous rules.
alexandre@alexandre-developpeur:~/Documents$
``` and i've this in /etc/suricata/suricata.yaml :

in my /etc/suricata.yaml:

Run Suricata with a specific user-id and group-id:

run-as:
user: suricata
group: suricata

5

ok i reinstalled suricata with this script , and no more problem :

 ./scripts/bundle.sh
./autogen.sh \
autoreconf -i \
sudo chmod +x ./autogen.sh
 ./configure --prefix=/usr/            --bindir=/usr/bin/            --sbindir=/usr/sbin/            --libdir=/usr/lib/             --sysconfdir=/etc/             --enable-python             --enable-debug             --enable-unittests             --enable-ebpf-build             --enable-geoip             --enable-af-packet             --enable-nflog             --with-libpcap-includes=/usr/local/include             --with-libpcap-libraries=/usr/lib/x86_64-linux-gnu/             --with-libhtp-includes=/usr/local/include/htp  --with-libhtp-libraries=/usr/lib --with-libyaml-libraries=/usr/lib/x86_64-linux-gnu --enable-nfqueue  \
  &&  cargo install --force cbindgen  && sudo make -j10 && sudo make install-full
6

no i’ve stilll the same problem :frowning:

Capture d’écran du 2024-09-21 14-53-44
Capture d’écran du 2024-09-21 14-53-441069×632 257 KB

7

iI must regularly reinstall suricata,here my configurations

alexandre@alexandre-developpeur:~$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 24.04.1 LTS
Release:	24.04
Codename:	noble
alexandre@alexandre-developpeur:~$ uname -r
6.9.9-060909-generic
alexandre@alexandre-developpeur:~$
10

the file doesn’t exist in tmp directory
regards

11

vidéo démonstration :Capture vidéo du 2024-10-12 20-31-35.webm - Google Drive

12

@ish
i’ve still have the problem !!

30/1/2025 -- 11:43:20 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/ssh-events.rules
30/1/2025 -- 11:43:20 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/stream-events.rules
30/1/2025 -- 11:43:20 - <Info> -- Loading distribution rule file /usr/share/suricata/rules/tls-events.rules
30/1/2025 -- 11:43:21 - <Info> -- Ignoring file b3a62191660c4b770056372c69bc7439/rules/emerging-deleted.rules
30/1/2025 -- 11:43:24 - <Info> -- Loaded 56397 rules.
30/1/2025 -- 11:43:24 - <Info> -- Disabled 13 rules.
30/1/2025 -- 11:43:24 - <Info> -- Enabled 0 rules.
30/1/2025 -- 11:43:24 - <Info> -- Modified 0 rules.
30/1/2025 -- 11:43:24 - <Info> -- Dropped 0 rules.
30/1/2025 -- 11:43:25 - <Info> -- Enabled 136 rules for flowbit dependencies.
30/1/2025 -- 11:43:25 - <Info> -- Backing up current rules.
30/1/2025 -- 11:43:29 - <Info> -- Writing rules to /usr/var/lib/suricata/rules/suricata.rules: total: 56397; enabled: 42161; added: 150; removed 6; modified: 1174
30/1/2025 -- 11:43:29 - <Info> -- Writing /usr/var/lib/suricata/rules/classification.config
30/1/2025 -- 11:43:29 - <Info> -- Testing with suricata -T.
30/1/2025 -- 11:43:30 - <Error> -- Error opening file: "/tmp/tmp9ce96lya/fast.log": Permission denied
30/1/2025 -- 11:43:30 - <Error> -- output module "fast": setup failed
30/1/2025 -- 11:43:30 - <Error> -- Suricata test failed, aborting.
30/1/2025 -- 11:43:30 - <Error> -- Restoring previous rules.
alexandre@alexandre-Matebook:~/Documents$
13 
30/1/2025 -- 11:43:30 - <Error> -- Error opening file: "/tmp/tmp9ce96lya/fast.log": Permission denied

This still looks like a permission issue, like Jason pointed out.

14

[FR]comment puis je faire , est ce que c’est une bonne idée de mettre le propriétaire du dossier tmp et les sous dossiers à suricata ?

[ENG]how can I do , is it a good idea to put the owner of the tmp folder and subfolders to suricata?

15

Looks run-as has an incompatibility with suricata-update at the moment. I’ll need to look further into that and see if it can be solved securely.

A work-around tho, is to:

  • Remove the run-as section from your suricata.yaml.
  • Add --user suricata --group suricata to your Suricata command line arguments in your systemd unit file

Then you should be able to execute suricata-update by a non-privileged user, as long as its part of the Suricata group and the directory permissions are configured like described here:

https://docs.suricata.io/en/latest/security.html#running-as-a-user-other-than-root

One of the problems with run-as is its going to try and change-id’s even when started as non-root, which is going to fail, and I prefer a setup where I can manage most of Suricata without become root, so generally don’t recommend use of run-as, but instead the --user command line option in the systemd file.

2 Likes
16

@ish awesome !!! thanks you very much
why change-id's ??

17

Suricata needs root access to start as it has to get raw read access to network interfaces. But once it has that access, it can change ID to a less privileged user, which is just a good security practice.

Suricata has 2 ways to do this, on the command line or through the run-as configuration section. It is my opinion that doing it on the command line works better for systemd integration, however, this needs to be better documented. However, the Suricata RPMs which do drop privileges do it at the the command line in the systemd unit file, which allows for users of the suricata group to run suricata-update and reload through the unix socket. Which might not work if privilege dropping was done with run-as. Again, I think its more of a documentation issue than anything. As I’m sure both ways of dropping privileges have their uses.

18

@ish it doesn’t wotk with the command :

alexandre@alexandre-Matebook:~$ --user suricata --group suricata /usr/bin/suricata -c /etc/suricata/suricata.yaml -q 0
--user : commande introuvable
alexandre@alexandre-Matebook:~$

with service file contains:

[Unit]
Description=Suricata IDS/IPS service
After=network.target

[Service]
ExecStart=--user suricata --group suricata /usr/bin/suricata -c /etc/suricata/suricata.yaml -q 0
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
PIDFile=/run/suricata.pid
LimitNOFILE=65536
#StandardOutput=file:/var/log/suricata/suricata.log
#StandardError=file:/var/log/suricata/suricata_error.log


[Install]
WantedBy=multi-user.target
19

--user and --group are Suricata arguments, place them after /usr/bin/suricata.

1 Like
20

Thanks you very much !! I will try