From Splunk Wiki

Jump to: navigation, search

< Back to Best Practices

Ensuring Splunk runs as a non-root user

Running splunk as a user other than root on UNIX systems is fully supported, and works fine. However, when administrating such systems, it is all too easy to log in as root to troubleshoot a problem, and accidentally start splunk as the root user, leading to permissions peroblems down the road when attempting to run as the conventional splunk user later.

Since this is a general problem on the UNIX platform, we recommend that you create local processes to guard against this situation, such as logging in via nonroot users and only issuing administrative commands via sudo when needed.

Nonetheless, here are some recommendations to avoid the problem:

Start splunk via the system splunk launch script

Splunk ships with a feature to

enable launch on system boot up.

This script is provided in order to launch splunk on restart, but provides an interface for managing the service generally, with support for start, stop, restart, and requesting status.

For example,

[root@beefysup01 bin]# ./splunk enable boot-start -user splunk

-user is pretty important (it sets SPLUNK_OS_USER=splunk in $SPLUNK_HOME/etc/splunk-launch.conf)!

With this script you can invoke

 /etc/init.d/splunk start

which will ensure it is launched as the user you specified. Also functional:

 /etc/init.d/splunk restart
 /etc/init.d/splunk stop
 /etc/init.d/splunk status

Essentially, this script invokes Splunk via su <username>. If run as nonroot, it may prompt for the splunk user's password.

Create a custom launch script

The above method is effective, but is global for the whole system, and will not handle arbitrary command line arguments etc. You can provide very similar functionality via a trivial script:

prompt$ cd $SPLUNK_HOME/bin prompt$ vi local_splunk_launch

  1. !/bin/sh

su splunk -c splunk "$@"

  1. save and quit

prompt$ chmod u+x local_splunk_launch

If you run local_splunk_launch instead of splunk, it will either run as splunk (from root) or ask for the splunk user's password.

Make the splunk binary setuid to the splunk user

You can use the UNIX setuid feature to enforce that the splunk executable always runs as the owner of the file.

splunk@beefysup01:~> cd $SPLUNK_HOME/bin
splunk@beefysup01:~/25240/3.4.6/bin> ls -l splunk
-r-xr-xr-x 1 splunk splunk 48808 Feb 18 19:32 splunk

Hmm.. I don't want just anyone to be able to start or stop my splunk install.

splunk@beefysup01:~/25240/3.4.6/bin> chmod go= splunk
splunk@beefysup01:~/25240/3.4.6/bin> ls -l splunk
-r-x------ 1 splunk splunk 48808 Feb 18 19:32 splunk

Okay, now only the splunk user, or root can can access it at all.

splunk@beefysup01:~/25240/3.4.6/bin> chmod u+s splunk
splunk@beefysup01:~/25240/3.4.6/bin> ls -l splunk
-r-s------ 1 splunk splunk 48808 Feb 18 19:32 splunk

Now the splunk program will always execute as the owner of the file, in this case: splunk. This third method will cause Splunk to be launched as the owner of the executable via most any launch method, but also has security implications that you should fully understand if deploying it.

If unclear about these implications, consider:

Personal tools
Hot Wiki Topics

About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk