Getting Data In

Deployed app on Universal Forwarder being created with 700 permissions (Linux Deployment Server to Linux UF)

twhitehead
New Member

Created an app on the deployment server which is used to tell the Universal Forwarder which directories and logs to monitor. There is no issue with this aspect, the logs are being monitored as expected.

What I would like to do is setup permissions on the Universal Forwarder so that other groups can read/write to the directories that are created by the UF.

  • Used RPM to install to /opt/splunkforwarder
  • splunk:splunkis used to own the files and run the service
  • setgid is configured on /opt/splunkforwarder
  • Setup File ACL permissions along with some defaults

    # file: opt/splunkforwarder/

    owner: splunk

    group: splunk

    flags: -s-

    user::rwx
    group::rwx
    group:splunk:rwx
    mask::rwx
    other::r-x
    default:user::rwx
    default:group::rwx
    default:group:splunk:rwx
    default:mask::rwx
    default:other::r-x

However when an app is deployed to the UF, the mask is not set on the ACL stripping the newly created directory of the group permissions.

Access: (2700/drwx--S---) Uid: ( 205/ splunk) Gid: ( 205/ splunk)

# file: myapp/
# owner: splunk
# group: splunk
# flags: -s-
user::rwx
group::rwx        #effective:---
group:splunk:rwx  #effective:---
mask::---
other::---
default:user::rwx
default:group::rwx
default:group:splunk:rwx
default:mask::rwx
default:other::r-x

Logging in interactively or non-interactive, the directories is created with the expected permissions.
Access: (2775/drwxrwsr-x) Uid: ( 205/ splunk) Gid: ( 205/ splunk)

# file: test/
# owner: splunk
# group: splunk
# flags: -s-
user::rwx
group::rwx
group:splunk:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:splunk:rwx
default:mask::rwx
default:other::r-x

I can manually add the mask sudo setfacl -Rm m:rwX myapp/and the effective permissions will be as intended.
Access: (2770/drwxrws---) Uid: ( 205/ splunk) Gid: ( 205/ splunk)

0 Karma
Get Updates on the Splunk Community!

Welcome to the Future of Data Search & Exploration

You have more data coming at you than ever before. Over the next five years, the total amount of digital data ...

What’s new on Splunk Lantern in August

This month’s Splunk Lantern update gives you the low-down on all of the articles we’ve published over the past ...

This Week's Community Digest - Splunk Community Happenings [8.3.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...