Deployment Architecture

using setcap to allow non-root splunk user to start splunkweb on port 443

cps42
Explorer

Per the instructions found here in the splunkbase and here, I tried to use the 'setcap' command. I can't quite get it to work. Modifying /opt/splunk/bin/splunk does not allow splunk to bind to the admin ports. Trying to setcap /opt/splunk/bin/python2.6 causes python to loose access to the local python modules.

Is there a documented way to use Linux Capabilities to allow a non-root Splunk system to listen on 443 and 514?

first test of setcap, noting changed but permissions of bin/splunk

cps@sea-splunk01:/opt/splunk/bin$ setcap 'cap_net_bind_service=+ep' /opt/splunk/bin/splunk
unable to set CAP_SETFCAP effective capability: Operation not permitted
cps@sea-splunk01:/opt/splunk/bin$ sudo !!
sudo setcap 'cap_net_bind_service=+ep' /opt/splunk/bin/splunk
cps@sea-splunk01:/opt/splunk/bin$ sudo /etc/init.d/splunk restart
Restarting Splunk...
Stopping splunkweb...
Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
.
Stopping splunk helpers...

Done.

Splunk> 4TW

Checking prerequisites...
        Checking http port [8000]: open
        Checking mgmt port [8089]: open
        Checking configuration...  Done.
        Checking index directory...  Done.
        Checking databases...
        Validated databases: _audit, _blocksignature, _internal, _thefishbucket, history, main, sample, summary
All preliminary checks passed.

Starting splunk server daemon (splunkd)... Done.
Starting splunkweb... Done.

If you get stuck, we're here to help.  
Look for answers here: http://www.splunk.com/base/Documentation

The Splunk web interface is at http://sea-splunk01:8000

ok, this all works, so I'm going to try modifiying to use port 443 and restart

cps@sea-splunk01:/opt/splunk/etc$ sudo /etc/init.d/splunk restart
Restarting Splunk...
Stopping splunkweb...
Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
.
Stopping splunk helpers...

Done.

Splunk> 4TW

Checking prerequisites...
        Checking http port [443]: open
        Checking mgmt port [8089]: open
        Checking configuration...  Done.
        Checking index directory...  Done.
        Checking databases...
        Validated databases: _audit, _blocksignature, _internal, _thefishbucket, history, main, sample, summary
All preliminary checks passed.

Starting splunk server daemon (splunkd)... Done.
Starting splunkweb... Error starting splunkweb.

Hmmm, it saw that 443 was open, but couldn't bind it. Rats. Change back to 8443 for now, and restart.

Let's try modifying bin/python2.6, and see what happens

cps@sea-splunk01:/opt/splunk/bin$ sudo setcap 'cap_net_bind_service=+ep' /opt/splunk/bin/python2.6 
cps@sea-splunk01:/opt/splunk/bin$ 
cps@sea-splunk01:/opt/splunk/bin$ 
cps@sea-splunk01:/opt/splunk/bin$ sudo /etc/init.d/splunk restart
Restarting Splunk...
Stopping splunkweb...
Stopping splunkd...
Shutting down.  Please wait, as this may take a few minutes.
.
Stopping splunk helpers...

Done.

Splunk> 4TW

Checking prerequisites...
        Checking http port [8443]: open
        Checking mgmt port [8089]: open
Traceback (most recent call last):
  File "/opt/splunk/lib/python2.6/site-packages/splunk/clilib/cli.py", line 17, in  <module>
  import splunk.clilib.cli_common as comm
  File "/opt/splunk/lib/python2.6/site-packages/splunk/clilib/cli_common.py", line 6, in <module>
  import lxml.etree as etree
  ImportError: libxslt.so.1: cannot open shared object file: No such file or directory
Tags (1)
1 Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee

You cannot use setcap to grant the capability to splunkd or python in any meaningful way. Processes in linux that are run with escalated privileges cannot use a LD_LIBRARY_PATH which is essential. Your best bet is one of the suggestions from http://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privilege....

View solution in original post

weigeltf
New Member

Method 3 works perfect for me.

0 Karma

frankejj
Explorer

Easiest method I found was to use the iptables method of port redirection.

iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443
iptables-save

Then configure httpport = 8443 in web.conf

Stephen_Sorkin
Splunk Employee
Splunk Employee

You cannot use setcap to grant the capability to splunkd or python in any meaningful way. Processes in linux that are run with escalated privileges cannot use a LD_LIBRARY_PATH which is essential. Your best bet is one of the suggestions from http://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privilege....

cps42
Explorer

Yes, I did check that. Execution works flawlessly if I remove the capabilities permissions.

I did discover the capable_probe kernel module here[1], and I was able to discover that splunkd requests the permissions first. I modified splunkd permisions, and ran into the same issue, that splunkd no longer looked in /opt/splunk/lib for dynamic libraries.
However, splunkweb will not start, even when splunkd can find them. I opened a similar question with Ubuntu, 119518 [2] also.

[1] http://www.friedhoff.org/downloads.html
[2] https://answers.launchpad.net/ubuntu/+source/libcap2/+question/119158

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Have you ensured that all files in the Splunk directory are owned and accessible by Splunk and not just by root?

0 Karma
Get Updates on the Splunk Community!

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Admin Console: A Single, Unified Interface for All Your Cloud Admin Needs

WATCH NOWJoin us to learn how the admin console can save you time and give you more control over the Splunk® ...