Bug#951181: suricata: Dropping privileges fails in nflog runmode - patch available

Tue, 11 Feb 2020 13:59:27 -0800 

Package: suricata
Version: 1:4.1.2-2
Severity: important

Dear Maintainer,

attempting to use the run-as configuration option with the nflog capture method
results in the following error during the startup of suricata:
[ERRCODE: SC_ERR_NFLOG_BIND(248)] - nflog_bind_pf() for AF_INET failed

Suricata ultimately fails to start without root privileges in the nflog
runmode (if you remove the run-as configuration section, suricata runs just
fine).

This is because SCDropMainThreadCaps in src/util-privs.c does not define the
required capabilities for the nflog runmode, unlike other runmodes.

I have reported this bug upstream [1] and also submitted a patch to address
this which has been accepted upstream [2].

I would appreciate if you could consider adding this patch to the suricata
package in the current stable release (buster) as the inabilitiy to drop root
privileges may have severe security implications and the patch itself is
trivial.

Of course, I have tested the patch against the current version of suricata in
stable (4.1.2-2). It works fine and allows suricata to drop root privileges
via the run-as configuration option, as expected. I'm attaching a backported
version of the aforementioned fix (same patch, just with 1 line offset).

Regards,

Timo

[1] https://redmine.openinfosecfoundation.org/issues/3265
[2] 
https://github.com/OISF/suricata/commit/1262ecbde0c2130f3fd4ca336cd2646828de9391


-- System Information:
Debian Release: 10.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-8-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages suricata depends on:
ii  dpkg                                   1.19.7
ii  libc6                                  2.28-10
ii  libcap-ng0                             0.7.9-2
ii  libevent-2.1-6                         2.1.8-stable-4
ii  libevent-pthreads-2.1-6                2.1.8-stable-4
ii  libgcc1                                1:8.3.0-6
ii  libgeoip1                              1.6.12-1
ii  libgnutls30                            3.6.7-4+deb10u2
ii  libhiredis0.14                         0.14.0-3
ii  libhtp2                                1:0.5.30-1
ii  libhyperscan5                          5.1.0-1
ii  libjansson4                            2.12-1
ii  libltdl7                               2.4.6-9
ii  libluajit-5.1-2                        2.1.0~beta3+dfsg-5.1
ii  liblz4-1                               1.8.3-1
ii  libmagic1                              1:5.35-4+deb10u1
ii  libnet1                                1.1.6+dfsg-3.1
ii  libnetfilter-log1                      1.0.1-1.1+b1
ii  libnetfilter-queue1                    1.0.3-1
ii  libnfnetlink0                          1.0.1-3+b1
ii  libnspr4                               2:4.20-1
ii  libnss3                                2:3.42.1-1+deb10u2
ii  libpcap0.8                             1.8.1-6
ii  libpcre3                               2:8.39-12
ii  libprelude23                           4.1.0-4.2
ii  libpython2.7-stdlib [python-argparse]  2.7.16-2+deb10u1
ii  libyaml-0-2                            0.2.1-1
ii  lsb-base                               10.2019051400
ii  python                                 2.7.16-1
ii  python-simplejson                      3.16.0-1
ii  zlib1g                                 1:1.2.11.dfsg-1

Versions of packages suricata recommends:
ii  python               2.7.16-1
pn  snort-rules-default  <none>
pn  suricata-oinkmaster  <none>

Versions of packages suricata suggests:
pn  libtcmalloc-minimal4  <none>

-- no debconf information
>From 987c80cb4222e605fc98debd40694fbea49f3173 Mon Sep 17 00:00:00 2001
From: Timo Sigurdsson <public_tim...@silentcreek.de>
Date: Tue, 11 Feb 2020 23:29:06 +0100
Subject: [PATCH] init: Fix dropping privileges in nflog runmode

Using the run-as configuration option with the nflog capture method
results in the following error during the startup of suricata:
[ERRCODE: SC_ERR_NFLOG_BIND(248)] - nflog_bind_pf() for AF_INET failed

This is because SCDropMainThreadCaps does not have any capabilities
defined for the nflog runmode (unlike other runmodes). Therefore, apply
the same capabilities to the nflog runmode that are already defined for
the nfqueue runmode. This has been confirmed to allow suricata start
and drop its privileges in the nflog runmode.

Fixes redmine issue #3265.

Backport of commit 1262ecb upstream to suricata 4.1.2 (Debian Buster).

Signed-off-by: Timo Sigurdsson <public_tim...@silentcreek.de>
---
 src/util-privs.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/util-privs.c b/src/util-privs.c
index 5ce6843eb7..bed5889b9a 100644
--- a/src/util-privs.c
+++ b/src/util-privs.c
@@ -75,9 +75,10 @@ void SCDropMainThreadCaps(uint32_t userid, uint32_t groupid)
                     CAP_NET_ADMIN, CAP_NET_RAW, CAP_SYS_NICE,
                     -1);
             break;
+        case RUNMODE_NFLOG:
         case RUNMODE_NFQ:
             capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
-                    CAP_NET_ADMIN,          /* needed for nfqueue inline mode */
+                    CAP_NET_ADMIN,          /* needed for nflog and nfqueue inline mode */
                     CAP_SYS_NICE,
                     -1);
             break;

Reply via email to