Getting Data In

Deployed app on Universal Forwarder being created with 700 permissions (Linux Deployment Server to Linux UF)

twhitehead
New Member

Created an app on the deployment server which is used to tell the Universal Forwarder which directories and logs to monitor. There is no issue with this aspect, the logs are being monitored as expected.

What I would like to do is setup permissions on the Universal Forwarder so that other groups can read/write to the directories that are created by the UF.

  • Used RPM to install to /opt/splunkforwarder
  • splunk:splunkis used to own the files and run the service
  • setgid is configured on /opt/splunkforwarder
  • Setup File ACL permissions along with some defaults

    # file: opt/splunkforwarder/

    owner: splunk

    group: splunk

    flags: -s-

    user::rwx
    group::rwx
    group:splunk:rwx
    mask::rwx
    other::r-x
    default:user::rwx
    default:group::rwx
    default:group:splunk:rwx
    default:mask::rwx
    default:other::r-x

However when an app is deployed to the UF, the mask is not set on the ACL stripping the newly created directory of the group permissions.

Access: (2700/drwx--S---) Uid: ( 205/ splunk) Gid: ( 205/ splunk)

# file: myapp/
# owner: splunk
# group: splunk
# flags: -s-
user::rwx
group::rwx        #effective:---
group:splunk:rwx  #effective:---
mask::---
other::---
default:user::rwx
default:group::rwx
default:group:splunk:rwx
default:mask::rwx
default:other::r-x

Logging in interactively or non-interactive, the directories is created with the expected permissions.
Access: (2775/drwxrwsr-x) Uid: ( 205/ splunk) Gid: ( 205/ splunk)

# file: test/
# owner: splunk
# group: splunk
# flags: -s-
user::rwx
group::rwx
group:splunk:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:splunk:rwx
default:mask::rwx
default:other::r-x

I can manually add the mask sudo setfacl -Rm m:rwX myapp/and the effective permissions will be as intended.
Access: (2770/drwxrws---) Uid: ( 205/ splunk) Gid: ( 205/ splunk)

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!