is it possible to use /bin/false as a loginshell for the user running splunkforwarder?
The splunkforwarder process seems to work with /bin/false, but running enable boot-start as root doesn't seem to work:
# /opt/splunkforwarder/bin/splunk enable boot-start -user splunk This account is currently not available. First-time-run has not finished. Ignore this error when previewing migration - exiting.
Can someone confirm this behaviour?
There issue will be different depending on the version of Splunk
Prior to 6.1""/splunks/splunkforwarder/bin/splunk" start --no-prompt --answer-yes would create line in init.d/splunk like
/bin/su - shaky -c "\"/splunks/splunkforwarder/bin/splunk\" start --no-prompt --answer-yes"
At 6.1 things changed a lot. splunk enable boot-start -user shaky now creates a script like
"/splunks/splunkforwarder/bin/splunk" start --no-prompt --answer-yes
Note there is no "su" here The user name is taken from SPLUNKOSUSER in launch.conf
Using the the pre 6.1 method with a user that has a /bin/false shell will be problematic as /bin/sh - shaky -c it interpretated as
$SHELL -c after "su is run and /bin/false -c will fail
When you un the enable boot-start, splunk creates the file splunk-launch.conf in /opt/splunkforwarder/etc. The problem seems to be that splunk needs a shell to create this file, so it has the privileges of the splunk user. I can't say whether this is a bug in splunk.
Apart from temporarily enabling a login shell to the splunk user and disabling it immediately after, you can also run the enable command without the -user option and manually edit splunk-launch.conf.
# /opt/splunkforwarder/bin/splunk enable boot-start
SPLUNK_OS_USER = splunk
chown splunk:splunk /opt/splunkforwarder/etc/splunk-launch.conf
Out of curiosity, which OS are you using? This seems to affect at least Debian-based systems.