Deployment Architecture

Apps packaged in splunk rpm have invalid permissions?

christopherutz
Path Finder

We have installed splunk instances on our servers to be used as forwarders. We use the deployment client/server to push out app packages to our various forwarders. We have recently attempted to add the unix application into our server classes so it is deployed to all remote splunk forwarders. We see the below error from the deployment client indicating it cannot remove the old unix app (I believe it is included in the rpm install) because the directory permissions are incorrect.

09-09-2010 15:38:03.726 WARN  DeployedServerClass - There was a problem installing app: unix for server class: unixClass
09-09-2010 15:39:03.773 WARN  DeployedApplication - Unable to remove folder: /opt/splunk/etc/apps/unix. Splunk will continue trying to install applic
ation. Directory not empty

This directory permissions on the contents of etc/apps/unix are 555 rather than something that is writable like 755. Is this intended? We could update the permissions on the app but anytime we add a new forwarder we will have to remember to correct the bad permissions. Obviously this is not ideal. One possible solution we have come up with is to make a copy of the unix app on our deployment server so it resides in a different folder (Something like my_unix). While this will fix the problem it seems like a hack.

Tags (1)
1 Solution

jrodman
Splunk Employee
Splunk Employee

The permissions on directories in the splunk package / tarfile are not explicitly declared. This means that your local umask will dictate the permissions applied to the directories. In your environment, you seem to have a 222 umask, which results in the directories being unwritable.

Personally I recommend 022, or otherwise more restrictive on group/other.

There's at least one bug to track the issue of this permission issue, identified internally as SPL-33753. I'll bring it up in our weekly bug discussion.

You can work around this by either: setting umask explicitly before splunk installs, eg

umask 022; rpm ....

or you can after-the-fact set them as you desire, eg:

find /opt/splunk -type d -exec chmod u=rwx,go=rx {} \;

View solution in original post

0 Karma

jrodman
Splunk Employee
Splunk Employee

The permissions on directories in the splunk package / tarfile are not explicitly declared. This means that your local umask will dictate the permissions applied to the directories. In your environment, you seem to have a 222 umask, which results in the directories being unwritable.

Personally I recommend 022, or otherwise more restrictive on group/other.

There's at least one bug to track the issue of this permission issue, identified internally as SPL-33753. I'll bring it up in our weekly bug discussion.

You can work around this by either: setting umask explicitly before splunk installs, eg

umask 022; rpm ....

or you can after-the-fact set them as you desire, eg:

find /opt/splunk -type d -exec chmod u=rwx,go=rx {} \;

0 Karma

christopherutz
Path Finder

Thanks, I will get with my CT group to make sure the umask is set before they perform future splunk installations using puppet.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...