It seems to me that a python script (custom command and/or controller have no write permission under /etc)
Is this me making a mistake or is this a default setting and if so, can it be overcome? (maybe not due to security considerations)
I realize that for a search head cluster this could be non trivial .
Do you mean the system's /etc
, or $SPLUNK_HOME/etc
?
If the former, I'd expect that to be the case, unless you have splunk running as root (and I hope you don't). If the latter, I can't see why a custom search command wouldn't have the same permissions to anything under $SPLUNK_HOME
, considering it should be running as the same user. I don't believe chroot
or anything similar is used when Splunk calls external commands.