[gentoo-commits] repo/gentoo:master commit in: net-analyzer/suricata/, net-analyzer/suricata/files/

["Slawek Lis" <slis@gentoo.org>]

commit:     2c174cb604c2c99f9d9e8ac4fab438d0aedf7ab1
Author:     Slawomir Lis <slis <AT> gentoo <DOT> org>
AuthorDate: Wed Dec 28 12:59:11 2016 +0000
Commit:     Slawek Lis <slis <AT> gentoo <DOT> org>
CommitDate: Wed Dec 28 12:59:11 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2c174cb6

net-analyzer/suricata: Dropping user privs in init script

Bug #602590

Package-Manager: Portage-2.3.3, Repoman-2.3.1

 net-analyzer/suricata/files/suricata-3.2-conf | 12 ++++++++-
 net-analyzer/suricata/files/suricata-3.2-init | 39 ++++++++++++++++++++-------
 net-analyzer/suricata/suricata-3.2-r1.ebuild  |  5 ++--
 3 files changed, 43 insertions(+), 13 deletions(-)

diff --git a/net-analyzer/suricata/files/suricata-3.2-conf b/net-analyzer/suricata/files/suricata-3.2-conf
index fc6885d..d8466b4 100644
--- a/net-analyzer/suricata/files/suricata-3.2-conf
+++ b/net-analyzer/suricata/files/suricata-3.2-conf
@@ -29,7 +29,7 @@
 # SURICATA_CONF="suricata.yaml"
 
 # You can define the options here:
-# NB: avoid using -l, -c and setting logging.outputs.1.file.filename as the init script will try to set them for you.
+# NB: avoid using -l, -c, --user, --group and setting logging.outputs.1.file.filename as the init script will try to set them for you.
 
 # SURICATA_OPTS_q0="-q 0"
 # SURICATA_OPTS_q1="-q 1"
@@ -44,3 +44,13 @@ SURICATA_OPTS="-i eth0"
 # SURICATA_LOG_FILE_q0="/var/log/suricata/q0/suricata.log"
 # SURICATA_LOG_FILE_q1="/var/log/suricata/q1/suricata.log"
 # SURICATA_LOG_FILE="/var/log/suricata/suricata.log"
+
+# Run as user/group.
+# Do not define if you want to run as root or as the user defined in the yaml config file (run-as).
+# The ebuild should have created the dedicated user/group suricata:suricata for you to specify here below.
+# SURICATA_USER_q0="suricata"
+# SURICATA_GROUP_q0="suricata"
+# SURICATA_USER_q1="suricata"
+# SURICATA_GROUP_q1="suricata"
+# SURICATA_USER="suricata"
+# SURICATA_GROUP="suricata"

diff --git a/net-analyzer/suricata/files/suricata-3.2-init b/net-analyzer/suricata/files/suricata-3.2-init
index 1717dbb..b276f49 100644
--- a/net-analyzer/suricata/files/suricata-3.2-init
+++ b/net-analyzer/suricata/files/suricata-3.2-init
@@ -13,13 +13,19 @@ if [ -n "${SURICATA}" ] && [ ${SVCNAME} != "suricata" ]; then
     SURICATAPID="/var/run/suricata/suricata.${SURICATA}.pid"
     eval SURICATAOPTS=\$SURICATA_OPTS_${SURICATAID}
     eval SURICATALOGPATH=\$SURICATA_LOG_FILE_${SURICATAID}
+    eval SURICATAUSER=\$SURICATA_USER_${SURICATAID}
+    eval SURICATAGROUP=\$SURICATA_GROUP_${SURICATAID}
 else
     SURICATACONF=${SURICATA_CONF}
     [ ${#SURICATACONF} -eq 0 ] && SURICATACONF="${SURICATA_DIR}/suricata.yaml" || SURICATACONF="${SURICATA_DIR}/${SURICATACONF}"
     SURICATAPID="/var/run/suricata/suricata.pid"
     SURICATAOPTS=${SURICATA_OPTS}
     SURICATALOGPATH=${SURICATA_LOG_FILE}
+    SURICATAUSER=${SURICATA_USER}
+    SURICATAGROUP=${SURICATA_GROUP}
 fi
+SURICATAUSER=${SURICATAUSER:-${SURICATA_USER}}
+SURICATAGROUP=${SURICATAGROUP:-${SURICATA_GROUP}}
 [ -e ${SURICATACONF} ] && SURICATAOPTS="${SURICATAOPTS} -c ${SURICATACONF}"
 
 description="Suricata IDS/IPS"
@@ -37,11 +43,6 @@ depend() {
 }
 
 checkconfig() {
-	if [ ! -e ${SURICATACONF} ] ; then
-		einfo "The configuration file ${SURICATACONF} was not found."
-		einfo "If this is OK then make sure you set enough options for ${SVCNAME} in /etc/conf.d/suricata."
-		einfo "Take a look at the suricata arguments --set and --dump-config."
-	fi
 	if [ ! -d "/var/run/suricata" ] ; then
 		checkpath -d /var/run/suricata
 	fi
@@ -52,9 +53,22 @@ checkconfig() {
 		if [ ! -d "${SURICATALOGPATH}" ] ; then
 			checkpath -d "${SURICATALOGPATH}"
 		fi
+		if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ] && [ -e "${SURICATALOGPATH}" ]; then
+			chown ${SURICATAUSER}:${SURICATAGROUP} "${SURICATALOGPATH}" || return 1
+			chown ${SURICATAUSER}:${SURICATAGROUP} "${SURICATALOGPATH}"/* >/dev/null 2>&1 3>&1
+		fi
 		SURICATAOPTS="${SURICATAOPTS} --set logging.outputs.1.file.filename=${SURICATALOGPATH}/${SURICATALOGFILE}"
 		SURICATALOGPATH="-l ${SURICATALOGPATH}"
 	fi
+	if [ ! -e ${SURICATACONF} ] ; then
+		einfo "The configuration file ${SURICATACONF} was not found."
+		einfo "If this is OK then make sure you set enough options for ${SVCNAME} in /etc/conf.d/suricata."
+		einfo "Take a look at the suricata arguments --set and --dump-config."
+	fi
+	if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ]; then
+		einfo "${SVCNAME} will run as user ${SURICATAUSER}:${SURICATAGROUP}."
+		SURICATAOPTS="${SURICATAOPTS} --user=${SURICATAUSER} --group=${SURICATAGROUP}"
+	fi
 }
 
 initpidinfo() {
@@ -77,8 +91,7 @@ checkpidinfo() {
 		eerror "Unable to determine user running ${SVCNAME}!"
 		return 1
 	elif [ "x${SUR_USER}" != "xroot" ]; then
-		eerror "${SVCNAME} must be running as root for reload or relog to work!"
-		return 1
+		ewarn "${SVCNAME} may need to be running as root or as a priviledged user for the extra commands reload and relog to work."
         fi
 }
 
@@ -135,7 +148,11 @@ reload() {
 	checkpidinfo || return 1
 	checkconfig || return 1
 	ebegin "Sending USR2 signal to ${SVCNAME} to perform a live rule and config reload."
-	start-stop-daemon --signal USR2 --pidfile ${SURICATAPID}
+	if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ]; then
+		start-stop-daemon --user ${SURICATAUSER} --group ${SURICATAGROUP} --signal USR2 --pidfile ${SURICATAPID}
+	else
+		start-stop-daemon --signal USR2 --pidfile ${SURICATAPID}
+	fi
 	eend $?
 }
 
@@ -143,7 +160,11 @@ relog() {
 	checkpidinfo || return 1
 	checkconfig || return 1
 	ebegin "Sending HUP signal to ${SVCNAME} to close and re-open all log files."
-	start-stop-daemon --signal HUP --pidfile ${SURICATAPID}
+	if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ]; then
+		start-stop-daemon --user ${SURICATAUSER} --group ${SURICATAGROUP} --signal HUP --pidfile ${SURICATAPID}
+	else
+		start-stop-daemon --signal HUP --pidfile ${SURICATAPID}
+	fi
 	eend $?
 }
 

diff --git a/net-analyzer/suricata/suricata-3.2-r1.ebuild b/net-analyzer/suricata/suricata-3.2-r1.ebuild
index 816a69d..ee724a5 100644
--- a/net-analyzer/suricata/suricata-3.2-r1.ebuild
+++ b/net-analyzer/suricata/suricata-3.2-r1.ebuild
@@ -34,6 +34,7 @@ DEPEND="
 	nfqueue?    ( net-libs/libnetfilter_queue )
 	redis?      ( dev-libs/hiredis )
 	logrotate?      ( app-admin/logrotate )
+	sys-libs/libcap-ng
 "
 # #446814
 #	prelude?    ( dev-libs/libprelude )
@@ -119,8 +120,6 @@ src_install() {
 
 	dodir "/var/lib/${PN}"
 	dodir "/var/log/${PN}"
-	dodir "/var/log/${PN}" \
-		"/var/lib/${PN}"
 
 	fowners -R ${PN}: "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
 	fperms 750 "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
@@ -151,7 +150,7 @@ pkg_postinst() {
 	elog "You can create as many ${PN}.foo* services as you wish."
 
 	if use logrotate; then
-		elog "You enabled the logrotate USE flag. Please make sure you correctly set up the ${PN} logortate config file in /etc/logrotate.d/."
+		elog "You enabled the logrotate USE flag. Please make sure you correctly set up the ${PN} logrotate config file in /etc/logrotate.d/."
 	fi
 
 	if use debug; then