logging: change ownership of application log if needed

When running with privilege dropping, the application log file
is opened before privileges are dropped resulting in Suricata
failing to re-open the file for file rotation.

If needed, chown the application to the run-as user/group after
opening.

Ticker #4523

(cherry picked from commit 59ac1fe277b0dc2fc2b6c1739c10eb58a0d48cba)

diff --git a/src/suricata.c b/src/suricata.c
index 78b4d28dd9091329cb60c22cf54b97c5e1714ce9..c3f7844fe9fdbabfc45268bdce440ad8cb00f61e 100644 (file)
--- a/src/suricata.c
+++ b/src/suricata.c
@@ -1032,9 +1032,9 @@ static void SCInstanceInit(SCInstance *suri, const char *progname)
     suri->group_name = NULL;
     suri->do_setuid = FALSE;
     suri->do_setgid = FALSE;
+#endif /* OS_WIN32 */
     suri->userid = 0;
     suri->groupid = 0;
-#endif /* OS_WIN32 */
     suri->delayed_detect = 0;
     suri->daemon = 0;
     suri->offline = 0;
@@ -3081,7 +3081,7 @@ int main(int argc, char **argv)
 
     /* Since our config is now loaded we can finish configurating the
      * logging module. */
-    SCLogLoadConfig(suricata.daemon, suricata.verbose);
+    SCLogLoadConfig(suricata.daemon, suricata.verbose, suricata.userid, suricata.groupid);
 
     LogVersion(&suricata);
     UtilCpuPrintSummary();

diff --git a/src/suricata.h b/src/suricata.h
index 20e45962c93d3ad5d63b3196a46ecd5b608ff7ba..4cb596c73d4d6e135d4ab1af998c8ca5793de343 100644 (file)
--- a/src/suricata.h
+++ b/src/suricata.h
@@ -139,9 +139,9 @@ typedef struct SCInstance_ {
     const char *group_name;
     uint8_t do_setuid;
     uint8_t do_setgid;
+#endif /* OS_WIN32 */
     uint32_t userid;
     uint32_t groupid;
-#endif /* OS_WIN32 */
 
     bool system;
     bool set_logdir;

diff --git a/src/util-debug.c b/src/util-debug.c
index 801be1dc97e5c353c799cfb3d4b049578387b8fc..a7b4b66bd02fa4f6af6b5d390ca6f644a2d23cfa 100644 (file)
--- a/src/util-debug.c
+++ b/src/util-debug.c
@@ -695,10 +695,8 @@ static inline SCLogOPIfaceCtx *SCLogAllocLogOPIfaceCtx(void)
  * \retval iface_ctx Pointer to the file output interface context created
  * \initonly
  */
-static inline SCLogOPIfaceCtx *SCLogInitFileOPIface(const char *file,
-                                                    const char *log_format,
-                                                    int log_level,
-                                                    SCLogOPType type)
+static inline SCLogOPIfaceCtx *SCLogInitFileOPIface(const char *file, uint32_t userid,
+        uint32_t groupid, const char *log_format, int log_level, SCLogOPType type)
 {
     SCLogOPIfaceCtx *iface_ctx = SCLogAllocLogOPIfaceCtx();
 
@@ -719,6 +717,15 @@ static inline SCLogOPIfaceCtx *SCLogInitFileOPIface(const char *file,
         goto error;
     }
 
+#ifndef OS_WIN32
+    if (userid != 0 || groupid != 0) {
+        if (chown(file, userid, groupid) == -1) {
+            SCLogWarning(SC_WARN_CHOWN, "Failed to change ownership of file %s: %s", file,
+                    strerror(errno));
+        }
+    }
+#endif
+
     if ((iface_ctx->file = SCStrdup(file)) == NULL) {
         goto error;
     }
@@ -1033,11 +1040,11 @@ static inline void SCLogSetOPIface(SCLogInitData *sc_lid, SCLogConfig *sc_lc)
                 if (s == NULL) {
                     char *str = SCLogGetLogFilename(SC_LOG_DEF_LOG_FILE);
                     if (str != NULL) {
-                        op_ifaces_ctx = SCLogInitFileOPIface(str, NULL, SC_LOG_LEVEL_MAX,0);
+                        op_ifaces_ctx = SCLogInitFileOPIface(str, 0, 0, NULL, SC_LOG_LEVEL_MAX, 0);
                         SCFree(str);
                     }
                 } else {
-                    op_ifaces_ctx = SCLogInitFileOPIface(s, NULL, SC_LOG_LEVEL_MAX,0);
+                    op_ifaces_ctx = SCLogInitFileOPIface(s, 0, 0, NULL, SC_LOG_LEVEL_MAX, 0);
                 }
                 break;
             case SC_LOG_OP_IFACE_SYSLOG:
@@ -1237,7 +1244,7 @@ SCLogOPIfaceCtx *SCLogInitOPIfaceCtx(const char *iface_name,
         case SC_LOG_OP_IFACE_CONSOLE:
             return SCLogInitConsoleOPIface(log_format, log_level, SC_LOG_OP_TYPE_REGULAR);
         case SC_LOG_OP_IFACE_FILE:
-            return SCLogInitFileOPIface(arg, log_format, log_level, SC_LOG_OP_TYPE_REGULAR);
+            return SCLogInitFileOPIface(arg, 0, 0, log_format, log_level, SC_LOG_OP_TYPE_REGULAR);
         case SC_LOG_OP_IFACE_SYSLOG:
             return SCLogInitSyslogOPIface(SCMapEnumNameToValue(arg, SCSyslogGetFacilityMap()),
                     log_format, log_level, SC_LOG_OP_TYPE_REGULAR);
@@ -1292,7 +1299,7 @@ void SCLogInitLogModule(SCLogInitData *sc_lid)
     return;
 }
 
-void SCLogLoadConfig(int daemon, int verbose)
+void SCLogLoadConfig(int daemon, int verbose, uint32_t userid, uint32_t groupid)
 {
     ConfNode *outputs;
     SCLogInitData *sc_lid;
@@ -1404,7 +1411,7 @@ void SCLogLoadConfig(int daemon, int verbose)
             if (path == NULL)
                 FatalError(SC_ERR_FATAL, "failed to setup output to file");
             have_logging = 1;
-            op_iface_ctx = SCLogInitFileOPIface(path, format, level, type);
+            op_iface_ctx = SCLogInitFileOPIface(path, userid, groupid, format, level, type);
             SCFree(path);
         }
         else if (strcmp(output->name, "syslog") == 0) {

diff --git a/src/util-debug.h b/src/util-debug.h
index 6b8f5808d6e67ef32bbe8756a4890abf13ff6960..ac11294b8475d3d394ac03e608b191387f54c1bc 100644 (file)
--- a/src/util-debug.h
+++ b/src/util-debug.h
@@ -596,6 +596,6 @@ int SCLogDebugEnabled(void);
 
 void SCLogRegisterTests(void);
 
-void SCLogLoadConfig(int daemon, int verbose);
+void SCLogLoadConfig(int daemon, int verbose, uint32_t userid, uint32_t groupid);
 
 #endif /* __UTIL_DEBUG_H__ */

diff --git a/src/util-error.c b/src/util-error.c
index 66f74c7de0f6b8d237b31e36f56b6030cf161390..a80c544cdf9f11a939633d3e3432520dce35752d 100644 (file)
--- a/src/util-error.c
+++ b/src/util-error.c
@@ -366,6 +366,8 @@ const char * SCErrorToString(SCError err)
         CASE_CODE (SC_ERR_DATASET);
         CASE_CODE (SC_WARN_ANOMALY_CONFIG);
         CASE_CODE (SC_WARN_ALERT_CONFIG);
+        CASE_CODE(SC_ERR_SIGNAL);
+        CASE_CODE(SC_WARN_CHOWN);
 
         CASE_CODE (SC_ERR_MAX);
     }

diff --git a/src/util-error.h b/src/util-error.h
index c8ef665e2a905be0b7c5677131349024a8eeb122..7f05db387847af68083269a448c61297b6e6fddf 100644 (file)
--- a/src/util-error.h
+++ b/src/util-error.h
@@ -356,6 +356,8 @@ typedef enum {
     SC_WARN_ANOMALY_CONFIG,
     SC_WARN_ALERT_CONFIG,
     SC_ERR_PCRE_COPY_SUBSTRING,
+    SC_ERR_SIGNAL,
+    SC_WARN_CHOWN,
 
     SC_ERR_MAX
 } SCError;

diff --git a/src/util-running-modes.c b/src/util-running-modes.c
index 9ff1cade0d80723be0c803acf17f3c56cb1f1c8f..a18b675bef6ba66e7b97d03c298ee1bc72fade50 100644 (file)
--- a/src/util-running-modes.c
+++ b/src/util-running-modes.c
@@ -32,7 +32,7 @@
 
 int ListKeywords(const char *keyword_info)
 {
-    SCLogLoadConfig(0, 0);
+    SCLogLoadConfig(0, 0, 0, 0);
     MpmTableSetup();
     SpmTableSetup();
     AppLayerSetup();
@@ -44,7 +44,7 @@ int ListKeywords(const char *keyword_info)
 int ListAppLayerProtocols()
 {
     if (ConfYamlLoadFile(DEFAULT_CONF_FILE) != -1)
-        SCLogLoadConfig(0, 0);
+        SCLogLoadConfig(0, 0, 0, 0);
     MpmTableSetup();
     SpmTableSetup();
     AppLayerSetup();