Installation

Splunk takes ownership of a binary file?

leduser
Engager

I'm not a linux expert, but I installed Splunk to take a look. It worked fine. After playing awhile, I noticed that one of my program's permissions had been changed to being owned by splunk!

In the /usr/sbin directory, the mumble program had changed permissions! This happened only to the mumble binary, as well as the mumble statup file in /etc/init.d (same exact permission change)

Server is Ubuntu 10.04 Server. Splunk is latest, downloaded and installed two days ago.

Orig:

-rwxr-xr-x  1 joe  1001   6612323 2011-01-15 19:51 mumble*

Now:

-rwxr-xr-x  1 splunk  admin   6612323 2011-01-15 19:51 mumble*

Tried to fix:

$ chown joe:1001 mumble
ls -l mumble
-rwxr-xr-x  1 joe  splunk   6612323 2011-01-15 19:51 mumble*

$ chgrp root mumble
ls -l mumble
-rwxr-xr-x  1 joe  root   6612323 2011-01-15 19:51 mumble*

$ chgrp 1001 mumble
ls -l mumble
-rwxr-xr-x  1 joe  splunk   6612323 2011-01-15 19:51 mumble*

I don't understand why splunk would take ownership of this file, and why is group 1001 resulting in "splunk"? Admittedly, I'm no linux expert, so I apologize if I'm missing something obvious.

So, I am unable to change the group ownership back to 1001 as it was originally. This is a test machine, but I'm rather concerned that this could happen. Thanks.

Tags (1)

Linegod
Path Finder

Whenever a group shows up as a number, it means that it has not been assigned, and is therefore invalid.

When splunk was installed, it created the splunk group using the next available group number - in this case 1001.

It is not a bug or error, it is how Linux works.

You should really be assigning mumble to a group which exists (look in /etc/group)

Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Announcing the General Availability of Splunk Enterprise Security 8.1!

We are pleased to announce the general availability of Splunk Enterprise Security 8.1. Splunk becomes the only ...

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...