Hi,
is it possible to use /bin/false as a loginshell for the user running splunkforwarder?
The splunkforwarder process seems to work with /bin/false, but running enable boot-start as root doesn't seem to work:
# /opt/splunkforwarder/bin/splunk enable boot-start -user splunk
This account is currently not available.
First-time-run has not finished. Ignore this error when previewing migration - exiting.
Can someone confirm this behaviour?
Thanks!
As of today on a CentOS 6 server we tested to modify the shell for splunk user from /bin/bash to /sbin/nologin
On this server it is running the Splunk Universal Forwarder.
After having modified the /etc/passwd file and restarted the Splunk Universal Forwarder it is still working, as well as the scripts directly launched by it.
#to modify the shell
usermod -s /sbin/nologin splunk
#to restart the Universal Forwarder
/etc/init.d/splunk restart
There issue will be different depending on the version of Splunk
Prior to 6.1""/splunks/splunkforwarder/bin/splunk" start --no-prompt --answer-yes would create line in init.d/splunk like
/bin/su - shaky -c "\"/splunks/splunkforwarder/bin/splunk\" start --no-prompt --answer-yes"
At 6.1 things changed a lot. splunk enable boot-start -user shaky now creates a script like
"/splunks/splunkforwarder/bin/splunk" start --no-prompt --answer-yes
Note there is no "su" here The user name is taken from SPLUNK_OS_USER in launch.conf
Using the the pre 6.1 method with a user that has a /bin/false shell will be problematic as /bin/sh - shaky -c it interpretated as
$SHELL -c after "su is run and /bin/false -c will fail
Hi HansWurscht,
When you un the enable boot-start, splunk creates the file splunk-launch.conf in /opt/splunkforwarder/etc. The problem seems to be that splunk needs a shell to create this file, so it has the privileges of the splunk user. I can't say whether this is a bug in splunk.
Apart from temporarily enabling a login shell to the splunk user and disabling it immediately after, you can also run the enable command without the -user option and manually edit splunk-launch.conf.
# /opt/splunkforwarder/bin/splunk enable boot-start
/opt/splunkforwarder/etc/splunk-launch.conf
SPLUNK_OS_USER = splunk
chown splunk:splunk /opt/splunkforwarder/etc/splunk-launch.conf
Out of curiosity, which OS are you using? This seems to affect at least Debian-based systems.
Have you tried to enable boot start while splunk user still has a valid shell, and then changing it back to /bin/false? Does it start at reboot (or "service start splunk")?
No. For a clean install process, this should not be needed.