Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Data Input Script apparently running in root directory

julianniemeyer
New Member
‎03-05-2020 04:24 AM

I am experimenting on a test system and have a simple shell script that consists of one line to call Python 3 to run a python script. Splunk 8.0.1 on RedHat 7.6 I do not understand what I am seeing or why.

So the shell script is called myprog.sh and is in /data/splunk/etc/apps/myprog/bin and consists of the call:

/data/splunk/bin/python3.7m  /data/splunk/etc/apps/myprog/bin/myprog.py

myprog.py just runs a few function calls to see what the current directory and id are and what files it contains and outputs them on STDERR so I can see then in splunkd.log

$>cat myprog.py
#! /data/splunk/bin/python3
import sys
import os
def run() :
    print("CWD ", os.getcwd(), " ID ", os.geteuid(), file=sys.stderr)
    files = os.listdir('.')
    for file in files:
        print (file, file=sys.stderr)
if __name__ == '__main__':
    run()

If run interactively it reports the current directory is /data/splunk/etc/apps/myprog/bin and my id is 2000 (splunk) exactly as I would have expected

If configured and run as through Settings -> Data Input -> Script (set to every 60 seconds), the current directory is reported as / - i.e. the root directory:

03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" CWD  /  ID  2000
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" boot
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" dev
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" home
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" proc
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" run
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" sys
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" tmp
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" var
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" etc
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" root
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" usr
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" bin
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" sbin
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" lib
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" lib64
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" media
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" mnt
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" opt
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" srv
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" .autorelabel
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" data

Is this expected behaviour? It seems to me to be worrisome that an app could have access to the entire file system like this - even if as user splunk rather than user root. Furthermore, I guess if someone were to run this script on a system where splunkd was running as root (frowned on, I know), the results could be "interesting".

Any thoughts would be welcome! Thanks.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...