Deployment Architecture

Why does splunk need to be installed as root?

Splunk Employee
Splunk Employee

The docs mention installs need to be done as root (but don't really explain why)
- http://docs.splunk.com/Documentation/Splunk/6.2.0/Installation/RunSplunkasadifferentornon-rootuser

Some answers refer to the need to provide, to the user running splunk, access to /dev/urandom, though it isn't clear why that's necessary (encryption?)
- http://answers.splunk.com/answers/49153/install-splunk-as-non-root-user.html

What aspects of the installation of splunk require root privileges? For the more security conscious sysadmins out there, being able to install splunk without opening the root kimono would be much more preferable.

BTW, as a test, I installed splunk as a non-root user (on a host where splunk was already installed), then brought up this new instance as that user, and verified there weren't any errors during startup. I also verified that i could login to the UI and do basic navigation. So at first glance, it looks like the root privileges aren't a requirement. Then again, this was far from a thorough shake-out test, and could've missed something.

Labels (1)
1 Solution

Splunk Employee
Splunk Employee

Splunk does not need to be installed as root, but you cannot install packages on Linux, Solaris, or FreeBSD as non-root, generally speaking. A tar-based install should work of course.

I think it was just easier to write the how-to in the scope of unpacking it as root in order to create a splunk user, since that's reasonable best-practice in any event, and the boot-start action will require root access, though you're free to set up init scripts or equivalent yourself.

View solution in original post

Ultra Champion

(Not sure if this counts as an answer or a comment as I'm kind of building off of the prior answer.)

I never install as root. Splunk has the ability to run scripts as scripted inputs and as the result of triggered alert. That, to me, is too high a risk to allow it to be run as root. Obviously running as non-root means you'll need to make sure any inputs have proper permissions and/or sudo where required - none of that has been complicated or labor intensive enough to dissuade me to install as root.

Here's what I do:

  1. root: create a "splunk" user account
  2. root: install with rpm
  3. root: chown and chmod to make sure the install is owned by the "splunk" account and can execute stuff in the bin directory, respectively (just to be super duper safe)
  4. splunk: Start splunk su - ${USER} -c "${SPLUNK_HOME}/bin/splunk start --answer-yes --no-prompt --accept-license"
  5. root: enable boot start AS splunk ${SPLUNK_HOME}/bin/splunk enable boot-start -user ${USER}

All of that should be in the documentation if you need further explanation on any of the params, etc...

Happy Splunking!

Builder

I downvoted this post because non root accounts can be ran as systemd to persist through reboots

0 Karma

SplunkTrust
SplunkTrust

Hi
There are two separate thing

  • install as root (or at least partially)
  • running as another user

If you you want to use e.g. rpm package or automatic start on boot, it’s mandatory to use at least sudo (as root) when you are doing installation. BUT after that you can and actually should run splunk as a non root account like splunk or srv-splk or anything else than root.

Also UFs should run as non root user, but that needs quite a much fine tuning to access all needed log files.

Ismo

0 Karma

Splunk Employee
Splunk Employee

Splunk does not need to be installed as root, but you cannot install packages on Linux, Solaris, or FreeBSD as non-root, generally speaking. A tar-based install should work of course.

I think it was just easier to write the how-to in the scope of unpacking it as root in order to create a splunk user, since that's reasonable best-practice in any event, and the boot-start action will require root access, though you're free to set up init scripts or equivalent yourself.

View solution in original post

Path Finder

I downvoted this post because boot-start can be enabled/disabled via sudo. it does not require root.

0 Karma

Contributor

I downvoted this post because downvoting without a clue.

0 Karma

Path Finder

@rob.gibson, i'm not sure why you would down vote this post

‘sudo‘ is a root binary setuid, which executes root commands on behalf of authorized users and the users need to enter their own password to execute system command followed by ‘sudo‘.

0 Karma

Splunk Employee
Splunk Employee

Sudo is a mechanism by which you can enable users to take actions as other users, typically to take actions as root.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!