commit:     2c174cb604c2c99f9d9e8ac4fab438d0aedf7ab1
Author:     Slawomir Lis <slis <AT> gentoo <DOT> org>
AuthorDate: Wed Dec 28 12:59:11 2016 +0000
Commit:     Slawek Lis <slis <AT> gentoo <DOT> org>
CommitDate: Wed Dec 28 12:59:11 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2c174cb6

net-analyzer/suricata: Dropping user privs in init script

Bug #602590

Package-Manager: Portage-2.3.3, Repoman-2.3.1

 net-analyzer/suricata/files/suricata-3.2-conf | 12 ++++++++-
 net-analyzer/suricata/files/suricata-3.2-init | 39 ++++++++++++++++++++-------
 net-analyzer/suricata/suricata-3.2-r1.ebuild  |  5 ++--
 3 files changed, 43 insertions(+), 13 deletions(-)

diff --git a/net-analyzer/suricata/files/suricata-3.2-conf 
b/net-analyzer/suricata/files/suricata-3.2-conf
index fc6885d..d8466b4 100644
--- a/net-analyzer/suricata/files/suricata-3.2-conf
+++ b/net-analyzer/suricata/files/suricata-3.2-conf
@@ -29,7 +29,7 @@
 # SURICATA_CONF="suricata.yaml"
 
 # You can define the options here:
-# NB: avoid using -l, -c and setting logging.outputs.1.file.filename as the 
init script will try to set them for you.
+# NB: avoid using -l, -c, --user, --group and setting 
logging.outputs.1.file.filename as the init script will try to set them for you.
 
 # SURICATA_OPTS_q0="-q 0"
 # SURICATA_OPTS_q1="-q 1"
@@ -44,3 +44,13 @@ SURICATA_OPTS="-i eth0"
 # SURICATA_LOG_FILE_q0="/var/log/suricata/q0/suricata.log"
 # SURICATA_LOG_FILE_q1="/var/log/suricata/q1/suricata.log"
 # SURICATA_LOG_FILE="/var/log/suricata/suricata.log"
+
+# Run as user/group.
+# Do not define if you want to run as root or as the user defined in the yaml 
config file (run-as).
+# The ebuild should have created the dedicated user/group suricata:suricata 
for you to specify here below.
+# SURICATA_USER_q0="suricata"
+# SURICATA_GROUP_q0="suricata"
+# SURICATA_USER_q1="suricata"
+# SURICATA_GROUP_q1="suricata"
+# SURICATA_USER="suricata"
+# SURICATA_GROUP="suricata"

diff --git a/net-analyzer/suricata/files/suricata-3.2-init 
b/net-analyzer/suricata/files/suricata-3.2-init
index 1717dbb..b276f49 100644
--- a/net-analyzer/suricata/files/suricata-3.2-init
+++ b/net-analyzer/suricata/files/suricata-3.2-init
@@ -13,13 +13,19 @@ if [ -n "${SURICATA}" ] && [ ${SVCNAME} != "suricata" ]; 
then
     SURICATAPID="/var/run/suricata/suricata.${SURICATA}.pid"
     eval SURICATAOPTS=\$SURICATA_OPTS_${SURICATAID}
     eval SURICATALOGPATH=\$SURICATA_LOG_FILE_${SURICATAID}
+    eval SURICATAUSER=\$SURICATA_USER_${SURICATAID}
+    eval SURICATAGROUP=\$SURICATA_GROUP_${SURICATAID}
 else
     SURICATACONF=${SURICATA_CONF}
     [ ${#SURICATACONF} -eq 0 ] && SURICATACONF="${SURICATA_DIR}/suricata.yaml" 
|| SURICATACONF="${SURICATA_DIR}/${SURICATACONF}"
     SURICATAPID="/var/run/suricata/suricata.pid"
     SURICATAOPTS=${SURICATA_OPTS}
     SURICATALOGPATH=${SURICATA_LOG_FILE}
+    SURICATAUSER=${SURICATA_USER}
+    SURICATAGROUP=${SURICATA_GROUP}
 fi
+SURICATAUSER=${SURICATAUSER:-${SURICATA_USER}}
+SURICATAGROUP=${SURICATAGROUP:-${SURICATA_GROUP}}
 [ -e ${SURICATACONF} ] && SURICATAOPTS="${SURICATAOPTS} -c ${SURICATACONF}"
 
 description="Suricata IDS/IPS"
@@ -37,11 +43,6 @@ depend() {
 }
 
 checkconfig() {
-       if [ ! -e ${SURICATACONF} ] ; then
-               einfo "The configuration file ${SURICATACONF} was not found."
-               einfo "If this is OK then make sure you set enough options for 
${SVCNAME} in /etc/conf.d/suricata."
-               einfo "Take a look at the suricata arguments --set and 
--dump-config."
-       fi
        if [ ! -d "/var/run/suricata" ] ; then
                checkpath -d /var/run/suricata
        fi
@@ -52,9 +53,22 @@ checkconfig() {
                if [ ! -d "${SURICATALOGPATH}" ] ; then
                        checkpath -d "${SURICATALOGPATH}"
                fi
+               if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ] && 
[ -e "${SURICATALOGPATH}" ]; then
+                       chown ${SURICATAUSER}:${SURICATAGROUP} 
"${SURICATALOGPATH}" || return 1
+                       chown ${SURICATAUSER}:${SURICATAGROUP} 
"${SURICATALOGPATH}"/* >/dev/null 2>&1 3>&1
+               fi
                SURICATAOPTS="${SURICATAOPTS} --set 
logging.outputs.1.file.filename=${SURICATALOGPATH}/${SURICATALOGFILE}"
                SURICATALOGPATH="-l ${SURICATALOGPATH}"
        fi
+       if [ ! -e ${SURICATACONF} ] ; then
+               einfo "The configuration file ${SURICATACONF} was not found."
+               einfo "If this is OK then make sure you set enough options for 
${SVCNAME} in /etc/conf.d/suricata."
+               einfo "Take a look at the suricata arguments --set and 
--dump-config."
+       fi
+       if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ]; then
+               einfo "${SVCNAME} will run as user 
${SURICATAUSER}:${SURICATAGROUP}."
+               SURICATAOPTS="${SURICATAOPTS} --user=${SURICATAUSER} 
--group=${SURICATAGROUP}"
+       fi
 }
 
 initpidinfo() {
@@ -77,8 +91,7 @@ checkpidinfo() {
                eerror "Unable to determine user running ${SVCNAME}!"
                return 1
        elif [ "x${SUR_USER}" != "xroot" ]; then
-               eerror "${SVCNAME} must be running as root for reload or relog 
to work!"
-               return 1
+               ewarn "${SVCNAME} may need to be running as root or as a 
priviledged user for the extra commands reload and relog to work."
         fi
 }
 
@@ -135,7 +148,11 @@ reload() {
        checkpidinfo || return 1
        checkconfig || return 1
        ebegin "Sending USR2 signal to ${SVCNAME} to perform a live rule and 
config reload."
-       start-stop-daemon --signal USR2 --pidfile ${SURICATAPID}
+       if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ]; then
+               start-stop-daemon --user ${SURICATAUSER} --group 
${SURICATAGROUP} --signal USR2 --pidfile ${SURICATAPID}
+       else
+               start-stop-daemon --signal USR2 --pidfile ${SURICATAPID}
+       fi
        eend $?
 }
 
@@ -143,7 +160,11 @@ relog() {
        checkpidinfo || return 1
        checkconfig || return 1
        ebegin "Sending HUP signal to ${SVCNAME} to close and re-open all log 
files."
-       start-stop-daemon --signal HUP --pidfile ${SURICATAPID}
+       if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ]; then
+               start-stop-daemon --user ${SURICATAUSER} --group 
${SURICATAGROUP} --signal HUP --pidfile ${SURICATAPID}
+       else
+               start-stop-daemon --signal HUP --pidfile ${SURICATAPID}
+       fi
        eend $?
 }
 

diff --git a/net-analyzer/suricata/suricata-3.2-r1.ebuild 
b/net-analyzer/suricata/suricata-3.2-r1.ebuild
index 816a69d..ee724a5 100644
--- a/net-analyzer/suricata/suricata-3.2-r1.ebuild
+++ b/net-analyzer/suricata/suricata-3.2-r1.ebuild
@@ -34,6 +34,7 @@ DEPEND="
        nfqueue?    ( net-libs/libnetfilter_queue )
        redis?      ( dev-libs/hiredis )
        logrotate?      ( app-admin/logrotate )
+       sys-libs/libcap-ng
 "
 # #446814
 #      prelude?    ( dev-libs/libprelude )
@@ -119,8 +120,6 @@ src_install() {
 
        dodir "/var/lib/${PN}"
        dodir "/var/log/${PN}"
-       dodir "/var/log/${PN}" \
-               "/var/lib/${PN}"
 
        fowners -R ${PN}: "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
        fperms 750 "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
@@ -151,7 +150,7 @@ pkg_postinst() {
        elog "You can create as many ${PN}.foo* services as you wish."
 
        if use logrotate; then
-               elog "You enabled the logrotate USE flag. Please make sure you 
correctly set up the ${PN} logortate config file in /etc/logrotate.d/."
+               elog "You enabled the logrotate USE flag. Please make sure you 
correctly set up the ${PN} logrotate config file in /etc/logrotate.d/."
        fi
 
        if use debug; then

Reply via email to