From 08518df373625eed25d03108bd24b9e389295c81 Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Thu, 20 Jan 2022 11:40:24 -0600 Subject: [PATCH] startup: initialize run as user info sooner Initialize the run-as user info after loading the config, but before setting up logging (previously it was done while initializing signal handlers). This will allow the log file to be given the correct permissions if Suricata is configured to run as a non-root user. --- src/suricata.c | 60 ++++++++++++++++++++++++++++---------------------- 1 file changed, 34 insertions(+), 26 deletions(-) diff --git a/src/suricata.c b/src/suricata.c index 20f138329c..52d203341b 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -2046,34 +2046,10 @@ static int MayDaemonize(SCInstance *suri) return TM_ECODE_OK; } -static int InitSignalHandler(SCInstance *suri) +/* Initialize the user and group Suricata is to run as. */ +static int InitRunAs(SCInstance *suri) { - /* registering signals we use */ -#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION - UtilSignalHandlerSetup(SIGINT, SignalHandlerSigint); - UtilSignalHandlerSetup(SIGTERM, SignalHandlerSigterm); -#if HAVE_LIBUNWIND - int enabled; - if (ConfGetBool("logging.stacktrace-on-signal", &enabled) == 0) { - enabled = 1; - } - - if (enabled) { - SCLogInfo("Preparing unexpected signal handling"); - struct sigaction stacktrace_action; - memset(&stacktrace_action, 0, sizeof(stacktrace_action)); - stacktrace_action.sa_sigaction = SignalHandlerUnexpected; - stacktrace_action.sa_flags = SA_SIGINFO; - sigaction(SIGSEGV, &stacktrace_action, NULL); - sigaction(SIGABRT, &stacktrace_action, NULL); - } -#endif /* HAVE_LIBUNWIND */ -#endif #ifndef OS_WIN32 - UtilSignalHandlerSetup(SIGHUP, SignalHandlerSigHup); - UtilSignalHandlerSetup(SIGPIPE, SIG_IGN); - UtilSignalHandlerSetup(SIGSYS, SIG_IGN); - /* Try to get user/group to run suricata as if command line as not decide of that */ if (suri->do_setuid == FALSE && suri->do_setgid == FALSE) { @@ -2105,6 +2081,37 @@ static int InitSignalHandler(SCInstance *suri) sc_set_caps = TRUE; } +#endif + return TM_ECODE_OK; +} + +static int InitSignalHandler(SCInstance *suri) +{ + /* registering signals we use */ +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + UtilSignalHandlerSetup(SIGINT, SignalHandlerSigint); + UtilSignalHandlerSetup(SIGTERM, SignalHandlerSigterm); +#if HAVE_LIBUNWIND + int enabled; + if (ConfGetBool("logging.stacktrace-on-signal", &enabled) == 0) { + enabled = 1; + } + + if (enabled) { + SCLogInfo("Preparing unexpected signal handling"); + struct sigaction stacktrace_action; + memset(&stacktrace_action, 0, sizeof(stacktrace_action)); + stacktrace_action.sa_sigaction = SignalHandlerUnexpected; + stacktrace_action.sa_flags = SA_SIGINFO; + sigaction(SIGSEGV, &stacktrace_action, NULL); + sigaction(SIGABRT, &stacktrace_action, NULL); + } +#endif /* HAVE_LIBUNWIND */ +#endif +#ifndef OS_WIN32 + UtilSignalHandlerSetup(SIGHUP, SignalHandlerSigHup); + UtilSignalHandlerSetup(SIGPIPE, SIG_IGN); + UtilSignalHandlerSetup(SIGSYS, SIG_IGN); #endif /* OS_WIN32 */ return TM_ECODE_OK; @@ -2876,6 +2883,7 @@ int SuricataMain(int argc, char **argv) SCLogDebug("vlan tracking is %s", vlan_tracking == 1 ? "enabled" : "disabled"); SetupUserMode(&suricata); + InitRunAs(&suricata); /* Since our config is now loaded we can finish configurating the * logging module. */