It might be a security improvement to let suricata run with non-root privileges and a special permission for the provided capture modes. Running as root might be a problem if a protocol parser or some other input-dependant code is exploitable. Robert Haist ---------------- 2BC8 3F55 A400 7468 864C 680E 1B7C C8D4 D4E9 14AA
I agree. I don't know right now how to achieve this change, I will investigate. best regards.
I agree. I don't know right now how to achieve this change, I will investigate. best regards.
Hi, Do you mean the following part of the config file: # Run suricata as user and group. #run-as: # user: suri # group: suri This already reduces the risk in case a parser is compromised, but using such user is not the default configuration (you have to create one and uncomment these lines). That could be added to the Debian package. Or, do you mean an additional mechanism to start as user (like file capabilities) ? Technically, file capabilities already work, however the required capability will depend on the capture method. Regards, Pierre
Using this setting the default and creating a suricata user on installation would be a very good start I think. Based on the suricata wiki this might only work for libpcap-mode. But maybe this information is outdated and can be clarified by some OISF Dev.
We should consider ownership of logfiles. They are created when suricata is still root and a later HUP signal (reload) could lead to failed reopen because of permissions. Perhaps suricata could fix ownership of logfiles before dropping privileges but I ignore if this is implemented upstream. I don't see a short-term solution right now.
Dear all, we run Suricata under suri user. In bug report #839146 [1] there are comments what changes were needed on systemd.service file to get it working properly on our Debian Jessie systems. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839146
Hi, upstream improved the log rotation [0] and that may help in running suricata under a different user than root. Please, keep an eye at the upcoming upstream releases uploaded to debian to check if this is true. I will do some tests in my side too when the release happens. regards. [0] https://redmine.openinfosecfoundation.org/issues/1938
A fresh debian jessie system with jessie-backports enabled. I added 'suri' user and 'suri' groups to the system: % sudo adduser --system suri % sudo addgroup --system suri % sudo adduser suri suri I edited /etc/suricata/suricata.yaml and set: run-as: user: suri group: suri Then I checked /var/log/suricata/. The files there belong, by default installation, to root. I tried to start suricata by issuing: % sudo systemctl start suricata The logs show: [...] 24/4/2017 -- 11:08:07 - <Info> - dropped the caps for main thread 24/4/2017 -- 11:08:07 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/var/log/suricata//fast.log": Permission denied 24/4/2017 -- 11:08:07 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module setup failed 24/4/2017 -- 11:08:07 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/var/log/suricata//eve.json": Permission denied 24/4/2017 -- 11:08:07 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module setup failed 24/4/2017 -- 11:08:07 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/var/log/suricata//stats.log": Permission denied 24/4/2017 -- 11:08:07 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module setup failed 24/4/2017 -- 11:08:07 - <Info> - Going to use 8 thread(s) 24/4/2017 -- 11:08:07 - <Info> - Using unix socket file '/var/run/suricata-command.socket' 24/4/2017 -- 11:08:07 - <Warning> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - Unix socket: UNIX socket bind(/var/run/suricata-command.socket) error: Address already in use 24/4/2017 -- 11:08:07 - <Warning> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - Unable to create unix command socket 24/4/2017 -- 11:08:07 - <Notice> - all 8 packet processing threads, 4 management threads initialized, engine started. So, suricata fails to open the log files, since they belong to root. Also, suricata fails to open the unix socket, since /var/run/ is also a protected directory. BTW, shortly after these messages, suricata seeems to enter a loop (100% CPU consumed): [...] 24/4/2017 -- 11:08:07 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:08:07 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:08:07 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:08:07 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:08:07 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:08:07 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:08:07 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:08:07 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:08:07 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:08:07 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:08:07 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:08:07 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:08:07 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:08:07 - <Info> - Unix socket: accept() error: Invalid argument [...] which is clearly not good. What if I change the /var/log/suricata permissions? % sudo chown suri:suri /var/log/suricata/* Starting suricata: [...] 24/4/2017 -- 11:11:28 - <Info> - dropped the caps for main thread 24/4/2017 -- 11:11:28 - <Info> - fast output device (regular) initialized: fast.log 24/4/2017 -- 11:11:28 - <Info> - eve-log output device (regular) initialized: eve.json 24/4/2017 -- 11:11:28 - <Info> - stats output device (regular) initialized: stats.log 24/4/2017 -- 11:11:28 - <Info> - Going to use 8 thread(s) 24/4/2017 -- 11:11:29 - <Info> - Using unix socket file '/var/run/suricata-command.socket' 24/4/2017 -- 11:11:29 - <Warning> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - Unix socket: UNIX socket bind(/var/run/suricata-command.socket) error: Address already in use 24/4/2017 -- 11:11:29 - <Warning> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - Unable to create unix command socket 24/4/2017 -- 11:11:29 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:11:29 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:11:29 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:11:29 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:11:29 - <Notice> - all 8 packet processing threads, 4 management threads initialized, engine started. 24/4/2017 -- 11:11:29 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:11:29 - <Info> - Unix socket: accept() error: Invalid argument [...] It seems this solves the log opening issues. But still, the unix socket problem is the same. A solution to avoid the problems with the unix socket with the current suricata code would be to use a different path for it, a path which is under control of the admin and could be safely switched the ownership. I haven't investigated further this way. If I disable privilege dropping, all seems good: [...] 24/4/2017 -- 11:19:52 - <Info> - Going to use 8 thread(s) 24/4/2017 -- 11:19:52 - <Info> - Using unix socket file '/var/run/suricata-command.socket' 24/4/2017 -- 11:19:52 - <Notice> - all 8 packet processing threads, 4 management threads initialized, engine started. 24/4/2017 -- 11:19:52 - <Info> - All AFP capture threads are running. [...] It seems the logs handling is not the only challenge when dropping the privileges and it seems that a bit more work is required in order to successfully run suricata with privilege dropping. Will report further as soon as I have more news regarding this subject. I will send this information upstream as well.
BTW the exact same behaviour can be detected in debian testing stretch: [...] 24/4/2017 -- 11:40:45 - <Info> - dropped the caps for main thread 24/4/2017 -- 11:40:45 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/var/log/suricata//fast.log": Permission denied 24/4/2017 -- 11:40:45 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module setup failed 24/4/2017 -- 11:40:45 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/var/log/suricata//eve.json": Permission denied 24/4/2017 -- 11:40:45 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module setup failed 24/4/2017 -- 11:40:45 - <Error> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/var/log/suricata//stats.log": Permission denied 24/4/2017 -- 11:40:45 - <Warning> - [ERRCODE: SC_ERR_INVALID_ARGUMENT(13)] - output module setup failed 24/4/2017 -- 11:40:45 - <Info> - Going to use 8 thread(s) 24/4/2017 -- 11:40:45 - <Info> - Using unix socket file '/var/run/suricata-command.socket' 24/4/2017 -- 11:40:45 - <Warning> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - Unix socket: UNIX socket bind(/var/run/suricata-command.socket) error: Address already in use 24/4/2017 -- 11:40:45 - <Warning> - [ERRCODE: SC_ERR_INITIALIZATION(45)] - Unable to create unix command socket 24/4/2017 -- 11:40:45 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:40:45 - <Notice> - all 8 packet processing threads, 4 management threads initialized, engine started. 24/4/2017 -- 11:40:45 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:40:45 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:40:45 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:40:45 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:40:45 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:40:45 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:40:45 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:40:45 - <Info> - Unix socket: accept() error: Invalid argument 24/4/2017 -- 11:40:45 - <Info> - Unix socket: accept() error: Invalid argument [...]
Would it be possible to package this in a way that doesn't require running as the root user? The current packaging creates a significant security risk for the entire system. https://docs.suricata.io/en/suricata-6.0.14/security.html Requires a bit tuning, but works fine. Eero
We believe that the bug you reported is fixed in the latest version of
suricata, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 836929@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Dolp <dev@andreas-dolp.de> (supplier of updated suricata package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 20 Aug 2025 21:55:13 +0200
Source: suricata
Binary: suricata suricata-dbgsym
Architecture: source amd64
Version: 1:8.0.0-1~exp1
Distribution: experimental
Urgency: medium
Maintainer: Pierre Chifflier <pollux@debian.org>
Changed-By: Andreas Dolp <dev@andreas-dolp.de>
Description:
suricata - Next Generation Intrusion Detection and Prevention Tool
Closes: 836929 1109307
Changes:
suricata (1:8.0.0-1~exp1) experimental; urgency=medium
.
[ Andreas Dolp ]
* New upstream release.
* Remove libhtp dependency as this is now built in Suricata.
* Remove LUA as this is now built in Suricata.
* Bump versioned Rust dependency to 1.75.0 or later.
* Remove recommended package snort-rules-default.
* Remove Python3 dependencies.
* Add libunwind-dev build dependency.
* Refresh Debian patches.
* Use systemd service Type=notify for systemd status notification.
* Remove libnss compile option and dependency.
* Remove libnspr compile option and dependency.
* Remove enable-libhs compile option.
* Add d/suricata.conffiles to remove sysv init conffiles.
* Align rundir and unix command socket to upstream /var/run/suricata/.
* Run Suricata as user suricata. (Closes: #836929, #1109307)
* Add configuration for landlock LSM security sandbox, but disabled by
default.
.
[ Sascha Steinbiss ]
* Remove sysv init support.
* Adjust README.Debian to mention systemd drop-in approach to
customize ExecStart parameters without having to clone the
packaged unit file.
* Remove unneeded ISC license text from d/copyright.
* Add NEWS.Debian file documenting the change.
Checksums-Sha1:
e94652aa8d836afe09a3bb6350897f820ecb940a 3009 suricata_8.0.0-1~exp1.dsc
7e4bdc40adcbe54b2d52d1333d5e7319647fcba4 51138956 suricata_8.0.0.orig.tar.gz
329881d5e3d59a54af3cff77eb40a9f1e8d88f93 833 suricata_8.0.0.orig.tar.gz.asc
b081cf6857402ded81be6db9649e9bb137daf6e0 25092 suricata_8.0.0-1~exp1.debian.tar.xz
2975b2c494166dc078da5014bc1f5bac540a0033 34459696 suricata-dbgsym_8.0.0-1~exp1_amd64.deb
20fde36f89402bec58d6ca27ff2c6c1a8c717504 18588 suricata_8.0.0-1~exp1_amd64.buildinfo
7e342d2a96cf3ebc9c28e8ce08adf5d890738f98 4376372 suricata_8.0.0-1~exp1_amd64.deb
Checksums-Sha256:
8579cec3d3a006100df63997ded6a5947ddb02a08653545432ea9bf20b613be3 3009 suricata_8.0.0-1~exp1.dsc
51f36ef492cbee8779d6018e4f18b98a08e677525851251279c1f851654f451f 51138956 suricata_8.0.0.orig.tar.gz
b9a2f4c253b69f1892fd782c891339fa079984441f3e75b74acf4d54ace2d9b6 833 suricata_8.0.0.orig.tar.gz.asc
8c4609ea946c1274a070489e89ff3f32a16200e36af0794c321bff6b06129f49 25092 suricata_8.0.0-1~exp1.debian.tar.xz
ca52069025763c5bfa33fec5a80eb3d8df43b0eb315791b4a7dd219766a892b1 34459696 suricata-dbgsym_8.0.0-1~exp1_amd64.deb
01c160ef4a713667990af6cba8209d3d6c7f18721cca649d34ac7a6df44cf03d 18588 suricata_8.0.0-1~exp1_amd64.buildinfo
767d343cf683c1d026adcb8a8dc1c2ae30736ab4b408f2fe439e1c2079622293 4376372 suricata_8.0.0-1~exp1_amd64.deb
Files:
f10e152f61172ef702ce7069f202f2f8 3009 net optional suricata_8.0.0-1~exp1.dsc
1294292076c062a33b942d1aef1123b8 51138956 net optional suricata_8.0.0.orig.tar.gz
b8850a1b853a2b884f2d40222dacdedb 833 net optional suricata_8.0.0.orig.tar.gz.asc
9c8f5d595e658c14cca4402ba543764b 25092 net optional suricata_8.0.0-1~exp1.debian.tar.xz
539ab5a2bd60811364b68332a7ee9bb0 34459696 debug optional suricata-dbgsym_8.0.0-1~exp1_amd64.deb
e842ed5d8839ffcec192fdee603fc4c3 18588 net optional suricata_8.0.0-1~exp1_amd64.buildinfo
c396f25418a4b434ccc29c987ac82c3c 4376372 net optional suricata_8.0.0-1~exp1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEWzS6WqtVB+kDQm6F6NN64vCfSHIFAmjAcFEACgkQ6NN64vCf
SHLndw//ZJP2vETzM2wTkmT4qrl/h80IhcE9A1uy2eivIHirC322RpsHG3jqyLyI
toM4B939heuNHNfH8CWPzA2iSDzCaks/EBrnXtfksgffrp/N0kVQSO5eVwEtgFZU
6ncKwKNjMscD8jVDfUezvG+z95BljqjlqSucPTSV5RPutdAkSIm3M/G3mxJAmQZq
uZ9aVQvysT0VfxOtOPmCN6RuCNwL47LtDZJxVW8ogTqwuFG3GHasQFdejVm3fAeQ
6O3wiaNIQQ1lwN3dAcQTVpoTiNIIuNm3QZevcdJxE6vbN6xilb6I0CCP+oqA0/ez
BcaUUrZgJcmOrAZGZEDYdqgeRvC/b3rf45jKDYlP2F3oPdCLUHaGQNTFd70JKjAw
IFyiOsFRI9ddgq364vceRSOI3qZ5bR+qc5mV3fOLG8p/AAN+5VT2RAriM65AUGHW
mXth9Ryb7DVMfJfQLA9ksXwJ4mmf7Q4O67Fhh0ctxBBKbzT3y4Xfz3pw2aDTeMWI
utRYfXOG39tdL6QGcLrvA57kCrs6WzQKflLrTjDeTqsz5RT6QLqz7dguL7pzvpVe
zDP1M/lnN4wmtg+9GpoOWS+WSEojvxgyU3MX1JKlqLsYTwZGF80X38ROGcC8PPhP
kUDvVHHiAnrpnRUEhoJjzPwKolqcPrwaIm61fZAqxW1V6sS1oGY=
=VU62
-----END PGP SIGNATURE-----
reopen 836929