From Splunk Wiki
Ensuring Splunk runs as a non-root user
Running splunk as a user other than root on UNIX systems is fully supported, and works fine. However, when administrating such systems, it is all too easy to log in as root to troubleshoot a problem, and accidentally start splunk as the root user, leading to permissions peroblems down the road when attempting to run as the conventional splunk user later.
Since this is a general problem on the UNIX platform, we recommend that you create local processes to guard against this situation, such as logging in via nonroot users and only issuing administrative commands via sudo when needed.
Nonetheless, here are some recommendations to avoid the problem:
Start splunk via the system splunk launch script
Splunk ships with a feature to
enable launch on system boot up.
This script is provided in order to launch splunk on restart, but provides an interface for managing the service generally, with support for start, stop, restart, and requesting status.
[root@beefysup01 bin]# ./splunk enable boot-start -user splunk
-user is pretty important (it sets SPLUNK_OS_USER=splunk in $SPLUNK_HOME/etc/splunk-launch.conf)!
With this script you can invoke
which will ensure it is launched as the user you specified. Also functional:
/etc/init.d/splunk restart /etc/init.d/splunk stop /etc/init.d/splunk status
Essentially, this script invokes Splunk via
If run as nonroot, it may prompt for the splunk user's password.
Create a custom launch script
The above method is effective, but is global for the whole system, and will not handle arbitrary command line arguments etc. You can provide very similar functionality via a trivial script:
prompt$ cd $SPLUNK_HOME/bin prompt$ vi local_splunk_launch
su splunk -c splunk "$@"
- save and quit
prompt$ chmod u+x local_splunk_launch
If you run local_splunk_launch instead of splunk, it will either run as splunk (from root) or ask for the splunk user's password.
Make the splunk binary setuid to the splunk user
You can use the UNIX setuid feature to enforce that the splunk executable always runs as the owner of the file.
splunk@beefysup01:~> cd $SPLUNK_HOME/bin splunk@beefysup01:~/25240/3.4.6/bin> ls -l splunk -r-xr-xr-x 1 splunk splunk 48808 Feb 18 19:32 splunk
Hmm.. I don't want just anyone to be able to start or stop my splunk install.
splunk@beefysup01:~/25240/3.4.6/bin> chmod go= splunk splunk@beefysup01:~/25240/3.4.6/bin> ls -l splunk -r-x------ 1 splunk splunk 48808 Feb 18 19:32 splunk
Okay, now only the splunk user, or root can can access it at all.
splunk@beefysup01:~/25240/3.4.6/bin> chmod u+s splunk splunk@beefysup01:~/25240/3.4.6/bin> ls -l splunk -r-s------ 1 splunk splunk 48808 Feb 18 19:32 splunk
splunk program will always execute as the owner
of the file, in this case:
splunk. This third method
will cause Splunk to be launched as the owner of the executable via
most any launch method, but also has security implications that you
should fully understand if deploying it.
If unclear about these implications, consider: http://oreilly.com/catalog/9780596003432/