logging: change ownership of application log if needed

When running with privilege dropping, the application log file
is opened before privileges are dropped resulting in Suricata
failing to re-open the file for file rotation.

If needed, chown the application to the run-as user/group after
opening.

Ticker #4523

diff --git a/src/suricata.c b/src/suricata.c
index 52d203341b859c243720aec8313baea1783268ea..47cadf3d5f236448102f3950b516585c999436d1 100644 (file)
--- a/src/suricata.c
+++ b/src/suricata.c
@@ -1075,9 +1075,9 @@ static void SCInstanceInit(SCInstance *suri, const char *progname)
     suri->group_name = NULL;
     suri->do_setuid = FALSE;
     suri->do_setgid = FALSE;
+#endif /* OS_WIN32 */
     suri->userid = 0;
     suri->groupid = 0;
-#endif /* OS_WIN32 */
     suri->delayed_detect = 0;
     suri->daemon = 0;
     suri->offline = 0;
@@ -2887,7 +2887,7 @@ int SuricataMain(int argc, char **argv)
 
     /* Since our config is now loaded we can finish configurating the
      * logging module. */
-    SCLogLoadConfig(suricata.daemon, suricata.verbose);
+    SCLogLoadConfig(suricata.daemon, suricata.verbose, suricata.userid, suricata.groupid);
 
     LogVersion(&suricata);
     UtilCpuPrintSummary();

diff --git a/src/suricata.h b/src/suricata.h
index 833b348378f842d45b62f4b1389ee8f3c685f2d2..81d63716e07b1f11c0a9bbacd5553e7a91b26a7f 100644 (file)
--- a/src/suricata.h
+++ b/src/suricata.h
@@ -137,9 +137,9 @@ typedef struct SCInstance_ {
     const char *group_name;
     uint8_t do_setuid;
     uint8_t do_setgid;
+#endif /* OS_WIN32 */
     uint32_t userid;
     uint32_t groupid;
-#endif /* OS_WIN32 */
 
     bool system;
     bool set_logdir;

diff --git a/src/util-debug.c b/src/util-debug.c
index 648471af92ba4fc9110b66765f3efe5a18ed0b52..20d0709612a5656ba4bfc6d96c6ec7cb5becfd33 100644 (file)
--- a/src/util-debug.c
+++ b/src/util-debug.c
@@ -727,10 +727,8 @@ static inline SCLogOPIfaceCtx *SCLogAllocLogOPIfaceCtx(void)
  * \retval iface_ctx Pointer to the file output interface context created
  * \initonly
  */
-static inline SCLogOPIfaceCtx *SCLogInitFileOPIface(const char *file,
-                                                    const char *log_format,
-                                                    int log_level,
-                                                    SCLogOPType type)
+static inline SCLogOPIfaceCtx *SCLogInitFileOPIface(const char *file, uint32_t userid,
+        uint32_t groupid, const char *log_format, int log_level, SCLogOPType type)
 {
     SCLogOPIfaceCtx *iface_ctx = SCLogAllocLogOPIfaceCtx();
 
@@ -751,6 +749,15 @@ static inline SCLogOPIfaceCtx *SCLogInitFileOPIface(const char *file,
         goto error;
     }
 
+#ifndef OS_WIN32
+    if (userid != 0 || groupid != 0) {
+        if (chown(file, userid, groupid) == -1) {
+            SCLogWarning(SC_WARN_CHOWN, "Failed to change ownership of file %s: %s", file,
+                    strerror(errno));
+        }
+    }
+#endif
+
     if ((iface_ctx->file = SCStrdup(file)) == NULL) {
         goto error;
     }
@@ -1070,11 +1077,11 @@ static inline void SCLogSetOPIface(SCLogInitData *sc_lid, SCLogConfig *sc_lc)
                 if (s == NULL) {
                     char *str = SCLogGetLogFilename(SC_LOG_DEF_LOG_FILE);
                     if (str != NULL) {
-                        op_ifaces_ctx = SCLogInitFileOPIface(str, NULL, SC_LOG_LEVEL_MAX,0);
+                        op_ifaces_ctx = SCLogInitFileOPIface(str, 0, 0, NULL, SC_LOG_LEVEL_MAX, 0);
                         SCFree(str);
                     }
                 } else {
-                    op_ifaces_ctx = SCLogInitFileOPIface(s, NULL, SC_LOG_LEVEL_MAX,0);
+                    op_ifaces_ctx = SCLogInitFileOPIface(s, 0, 0, NULL, SC_LOG_LEVEL_MAX, 0);
                 }
                 break;
             case SC_LOG_OP_IFACE_SYSLOG:
@@ -1272,7 +1279,7 @@ SCLogOPIfaceCtx *SCLogInitOPIfaceCtx(const char *iface_name,
         case SC_LOG_OP_IFACE_CONSOLE:
             return SCLogInitConsoleOPIface(log_format, log_level, SC_LOG_OP_TYPE_REGULAR);
         case SC_LOG_OP_IFACE_FILE:
-            return SCLogInitFileOPIface(arg, log_format, log_level, SC_LOG_OP_TYPE_REGULAR);
+            return SCLogInitFileOPIface(arg, 0, 0, log_format, log_level, SC_LOG_OP_TYPE_REGULAR);
         case SC_LOG_OP_IFACE_SYSLOG:
             return SCLogInitSyslogOPIface(SCMapEnumNameToValue(arg, SCSyslogGetFacilityMap()),
                     log_format, log_level, SC_LOG_OP_TYPE_REGULAR);
@@ -1326,7 +1333,7 @@ void SCLogInitLogModule(SCLogInitData *sc_lid)
     return;
 }
 
-void SCLogLoadConfig(int daemon, int verbose)
+void SCLogLoadConfig(int daemon, int verbose, uint32_t userid, uint32_t groupid)
 {
     ConfNode *outputs;
     SCLogInitData *sc_lid;
@@ -1437,7 +1444,7 @@ void SCLogLoadConfig(int daemon, int verbose)
             if (path == NULL)
                 FatalError(SC_ERR_FATAL, "failed to setup output to file");
             have_logging = 1;
-            op_iface_ctx = SCLogInitFileOPIface(path, format, level, type);
+            op_iface_ctx = SCLogInitFileOPIface(path, userid, groupid, format, level, type);
             SCFree(path);
         }
         else if (strcmp(output->name, "syslog") == 0) {

diff --git a/src/util-debug.h b/src/util-debug.h
index 42b4e1b4574fea3b34ddecbea67842b8810b7a29..24915471ed028caf68ba780f705d272e16f92010 100644 (file)
--- a/src/util-debug.h
+++ b/src/util-debug.h
@@ -573,7 +573,7 @@ int SCLogDebugEnabled(void);
 
 void SCLogRegisterTests(void);
 
-void SCLogLoadConfig(int daemon, int verbose);
+void SCLogLoadConfig(int daemon, int verbose, uint32_t userid, uint32_t groupid);
 
 SCLogLevel SCLogGetLogLevel(void);
 

diff --git a/src/util-error.c b/src/util-error.c
index ce67836b84af8c19d4ebe00311f575268ea28c62..0c2555543d57aca39fcb49db74f13c166eb98135 100644 (file)
--- a/src/util-error.c
+++ b/src/util-error.c
@@ -386,6 +386,7 @@ const char * SCErrorToString(SCError err)
         CASE_CODE(SC_ERR_DPDK_CONF);
         CASE_CODE(SC_WARN_DPDK_CONF);
         CASE_CODE(SC_ERR_SIGNAL);
+        CASE_CODE(SC_WARN_CHOWN);
 
         CASE_CODE (SC_ERR_MAX);
     }

diff --git a/src/util-error.h b/src/util-error.h
index 1dbff4053afe446952d0884e12defc0890fcc0b7..5f321b2d10a3a03a46fdcec62438db36dabc048c 100644 (file)
--- a/src/util-error.h
+++ b/src/util-error.h
@@ -376,6 +376,7 @@ typedef enum {
     SC_ERR_DPDK_CONF,
     SC_WARN_DPDK_CONF,
     SC_ERR_SIGNAL,
+    SC_WARN_CHOWN,
 
     SC_ERR_MAX
 } SCError;

diff --git a/src/util-running-modes.c b/src/util-running-modes.c
index 22b933c7afc8f1ba674f605868fbcfa9b8a66dd5..a88885c0a26f263a05a65ec544b1ab40f3b9bcc9 100644 (file)
--- a/src/util-running-modes.c
+++ b/src/util-running-modes.c
@@ -31,7 +31,7 @@
 
 int ListKeywords(const char *keyword_info)
 {
-    SCLogLoadConfig(0, 0);
+    SCLogLoadConfig(0, 0, 0, 0);
     MpmTableSetup();
     SpmTableSetup();
     AppLayerSetup();
@@ -42,7 +42,7 @@ int ListKeywords(const char *keyword_info)
 int ListAppLayerProtocols(const char *conf_filename)
 {
     if (ConfYamlLoadFile(conf_filename) != -1)
-        SCLogLoadConfig(0, 0);
+        SCLogLoadConfig(0, 0, 0, 0);
     MpmTableSetup();
     SpmTableSetup();
     AppLayerSetup();