From: Jason Ish Date: Thu, 20 Jan 2022 18:08:33 +0000 (-0600) Subject: logging: change ownership of application log if needed X-Git-Tag: suricata-5.0.9~91 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c97c9ec087c3a8ef028e3f4d8e8e05e3e0c7f9bd;p=thirdparty%2Fsuricata.git logging: change ownership of application log if needed When running with privilege dropping, the application log file is opened before privileges are dropped resulting in Suricata failing to re-open the file for file rotation. If needed, chown the application to the run-as user/group after opening. Ticker #4523 (cherry picked from commit 59ac1fe277b0dc2fc2b6c1739c10eb58a0d48cba) --- diff --git a/src/suricata.c b/src/suricata.c index 78b4d28dd9..c3f7844fe9 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -1032,9 +1032,9 @@ static void SCInstanceInit(SCInstance *suri, const char *progname) suri->group_name = NULL; suri->do_setuid = FALSE; suri->do_setgid = FALSE; +#endif /* OS_WIN32 */ suri->userid = 0; suri->groupid = 0; -#endif /* OS_WIN32 */ suri->delayed_detect = 0; suri->daemon = 0; suri->offline = 0; @@ -3081,7 +3081,7 @@ int main(int argc, char **argv) /* Since our config is now loaded we can finish configurating the * logging module. */ - SCLogLoadConfig(suricata.daemon, suricata.verbose); + SCLogLoadConfig(suricata.daemon, suricata.verbose, suricata.userid, suricata.groupid); LogVersion(&suricata); UtilCpuPrintSummary(); diff --git a/src/suricata.h b/src/suricata.h index 20e45962c9..4cb596c73d 100644 --- a/src/suricata.h +++ b/src/suricata.h @@ -139,9 +139,9 @@ typedef struct SCInstance_ { const char *group_name; uint8_t do_setuid; uint8_t do_setgid; +#endif /* OS_WIN32 */ uint32_t userid; uint32_t groupid; -#endif /* OS_WIN32 */ bool system; bool set_logdir; diff --git a/src/util-debug.c b/src/util-debug.c index 801be1dc97..a7b4b66bd0 100644 --- a/src/util-debug.c +++ b/src/util-debug.c @@ -695,10 +695,8 @@ static inline SCLogOPIfaceCtx *SCLogAllocLogOPIfaceCtx(void) * \retval iface_ctx Pointer to the file output interface context created * \initonly */ -static inline SCLogOPIfaceCtx *SCLogInitFileOPIface(const char *file, - const char *log_format, - int log_level, - SCLogOPType type) +static inline SCLogOPIfaceCtx *SCLogInitFileOPIface(const char *file, uint32_t userid, + uint32_t groupid, const char *log_format, int log_level, SCLogOPType type) { SCLogOPIfaceCtx *iface_ctx = SCLogAllocLogOPIfaceCtx(); @@ -719,6 +717,15 @@ static inline SCLogOPIfaceCtx *SCLogInitFileOPIface(const char *file, goto error; } +#ifndef OS_WIN32 + if (userid != 0 || groupid != 0) { + if (chown(file, userid, groupid) == -1) { + SCLogWarning(SC_WARN_CHOWN, "Failed to change ownership of file %s: %s", file, + strerror(errno)); + } + } +#endif + if ((iface_ctx->file = SCStrdup(file)) == NULL) { goto error; } @@ -1033,11 +1040,11 @@ static inline void SCLogSetOPIface(SCLogInitData *sc_lid, SCLogConfig *sc_lc) if (s == NULL) { char *str = SCLogGetLogFilename(SC_LOG_DEF_LOG_FILE); if (str != NULL) { - op_ifaces_ctx = SCLogInitFileOPIface(str, NULL, SC_LOG_LEVEL_MAX,0); + op_ifaces_ctx = SCLogInitFileOPIface(str, 0, 0, NULL, SC_LOG_LEVEL_MAX, 0); SCFree(str); } } else { - op_ifaces_ctx = SCLogInitFileOPIface(s, NULL, SC_LOG_LEVEL_MAX,0); + op_ifaces_ctx = SCLogInitFileOPIface(s, 0, 0, NULL, SC_LOG_LEVEL_MAX, 0); } break; case SC_LOG_OP_IFACE_SYSLOG: @@ -1237,7 +1244,7 @@ SCLogOPIfaceCtx *SCLogInitOPIfaceCtx(const char *iface_name, case SC_LOG_OP_IFACE_CONSOLE: return SCLogInitConsoleOPIface(log_format, log_level, SC_LOG_OP_TYPE_REGULAR); case SC_LOG_OP_IFACE_FILE: - return SCLogInitFileOPIface(arg, log_format, log_level, SC_LOG_OP_TYPE_REGULAR); + return SCLogInitFileOPIface(arg, 0, 0, log_format, log_level, SC_LOG_OP_TYPE_REGULAR); case SC_LOG_OP_IFACE_SYSLOG: return SCLogInitSyslogOPIface(SCMapEnumNameToValue(arg, SCSyslogGetFacilityMap()), log_format, log_level, SC_LOG_OP_TYPE_REGULAR); @@ -1292,7 +1299,7 @@ void SCLogInitLogModule(SCLogInitData *sc_lid) return; } -void SCLogLoadConfig(int daemon, int verbose) +void SCLogLoadConfig(int daemon, int verbose, uint32_t userid, uint32_t groupid) { ConfNode *outputs; SCLogInitData *sc_lid; @@ -1404,7 +1411,7 @@ void SCLogLoadConfig(int daemon, int verbose) if (path == NULL) FatalError(SC_ERR_FATAL, "failed to setup output to file"); have_logging = 1; - op_iface_ctx = SCLogInitFileOPIface(path, format, level, type); + op_iface_ctx = SCLogInitFileOPIface(path, userid, groupid, format, level, type); SCFree(path); } else if (strcmp(output->name, "syslog") == 0) { diff --git a/src/util-debug.h b/src/util-debug.h index 6b8f5808d6..ac11294b84 100644 --- a/src/util-debug.h +++ b/src/util-debug.h @@ -596,6 +596,6 @@ int SCLogDebugEnabled(void); void SCLogRegisterTests(void); -void SCLogLoadConfig(int daemon, int verbose); +void SCLogLoadConfig(int daemon, int verbose, uint32_t userid, uint32_t groupid); #endif /* __UTIL_DEBUG_H__ */ diff --git a/src/util-error.c b/src/util-error.c index 66f74c7de0..a80c544cdf 100644 --- a/src/util-error.c +++ b/src/util-error.c @@ -366,6 +366,8 @@ const char * SCErrorToString(SCError err) CASE_CODE (SC_ERR_DATASET); CASE_CODE (SC_WARN_ANOMALY_CONFIG); CASE_CODE (SC_WARN_ALERT_CONFIG); + CASE_CODE(SC_ERR_SIGNAL); + CASE_CODE(SC_WARN_CHOWN); CASE_CODE (SC_ERR_MAX); } diff --git a/src/util-error.h b/src/util-error.h index c8ef665e2a..7f05db3878 100644 --- a/src/util-error.h +++ b/src/util-error.h @@ -356,6 +356,8 @@ typedef enum { SC_WARN_ANOMALY_CONFIG, SC_WARN_ALERT_CONFIG, SC_ERR_PCRE_COPY_SUBSTRING, + SC_ERR_SIGNAL, + SC_WARN_CHOWN, SC_ERR_MAX } SCError; diff --git a/src/util-running-modes.c b/src/util-running-modes.c index 9ff1cade0d..a18b675bef 100644 --- a/src/util-running-modes.c +++ b/src/util-running-modes.c @@ -32,7 +32,7 @@ int ListKeywords(const char *keyword_info) { - SCLogLoadConfig(0, 0); + SCLogLoadConfig(0, 0, 0, 0); MpmTableSetup(); SpmTableSetup(); AppLayerSetup(); @@ -44,7 +44,7 @@ int ListKeywords(const char *keyword_info) int ListAppLayerProtocols() { if (ConfYamlLoadFile(DEFAULT_CONF_FILE) != -1) - SCLogLoadConfig(0, 0); + SCLogLoadConfig(0, 0, 0, 0); MpmTableSetup(); SpmTableSetup(); AppLayerSetup();