Installation

Splunk takes ownership of a binary file?

leduser
Engager

I'm not a linux expert, but I installed Splunk to take a look. It worked fine. After playing awhile, I noticed that one of my program's permissions had been changed to being owned by splunk!

In the /usr/sbin directory, the mumble program had changed permissions! This happened only to the mumble binary, as well as the mumble statup file in /etc/init.d (same exact permission change)

Server is Ubuntu 10.04 Server. Splunk is latest, downloaded and installed two days ago.

Orig:

-rwxr-xr-x  1 joe  1001   6612323 2011-01-15 19:51 mumble*

Now:

-rwxr-xr-x  1 splunk  admin   6612323 2011-01-15 19:51 mumble*

Tried to fix:

$ chown joe:1001 mumble
ls -l mumble
-rwxr-xr-x  1 joe  splunk   6612323 2011-01-15 19:51 mumble*

$ chgrp root mumble
ls -l mumble
-rwxr-xr-x  1 joe  root   6612323 2011-01-15 19:51 mumble*

$ chgrp 1001 mumble
ls -l mumble
-rwxr-xr-x  1 joe  splunk   6612323 2011-01-15 19:51 mumble*

I don't understand why splunk would take ownership of this file, and why is group 1001 resulting in "splunk"? Admittedly, I'm no linux expert, so I apologize if I'm missing something obvious.

So, I am unable to change the group ownership back to 1001 as it was originally. This is a test machine, but I'm rather concerned that this could happen. Thanks.

Tags (1)

Linegod
Path Finder

Whenever a group shows up as a number, it means that it has not been assigned, and is therefore invalid.

When splunk was installed, it created the splunk group using the next available group number - in this case 1001.

It is not a bug or error, it is how Linux works.

You should really be assigning mumble to a group which exists (look in /etc/group)

Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...