Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Splunk Data Input Script apparently running in roo...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Data Input Script apparently running in root directory
julianniemeyer
New Member
03-05-2020
04:24 AM
I am experimenting on a test system and have a simple shell script that consists of one line to call Python 3 to run a python script. Splunk 8.0.1 on RedHat 7.6 I do not understand what I am seeing or why.
So the shell script is called myprog.sh and is in /data/splunk/etc/apps/myprog/bin and consists of the call:
/data/splunk/bin/python3.7m /data/splunk/etc/apps/myprog/bin/myprog.py
myprog.py just runs a few function calls to see what the current directory and id are and what files it contains and outputs them on STDERR so I can see then in splunkd.log
$>cat myprog.py
#! /data/splunk/bin/python3
import sys
import os
def run() :
print("CWD ", os.getcwd(), " ID ", os.geteuid(), file=sys.stderr)
files = os.listdir('.')
for file in files:
print (file, file=sys.stderr)
if __name__ == '__main__':
run()
If run interactively it reports the current directory is /data/splunk/etc/apps/myprog/bin and my id is 2000 (splunk) exactly as I would have expected
If configured and run as through Settings -> Data Input -> Script (set to every 60 seconds), the current directory is reported as / - i.e. the root directory:
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" CWD / ID 2000
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" boot
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" dev
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" home
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" proc
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" run
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" sys
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" tmp
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" var
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" etc
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" root
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" usr
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" bin
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" sbin
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" lib
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" lib64
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" media
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" mnt
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" opt
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" srv
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" .autorelabel
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" data
Is this expected behaviour? It seems to me to be worrisome that an app could have access to the entire file system like this - even if as user splunk rather than user root. Furthermore, I guess if someone were to run this script on a system where splunkd was running as root (frowned on, I know), the results could be "interesting".
Any thoughts would be welcome! Thanks.
Get Updates on the Splunk Community!
Cultivate Your Career Growth with Fresh Splunk Training
Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...
Introducing a Smarter Way to Discover Apps on Splunkbase
We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering.
Because we’ve ...
How to Send Splunk Observability Alerts to Webex teams in Minutes
As a Developer Evangelist at Splunk, my team and I are constantly tinkering with technology to explore its ...
