I am experimenting on a test system and have a simple shell script that consists of one line to call Python 3 to run a python script. Splunk 8.0.1 on RedHat 7.6 I do not understand what I am seeing or why.

So the shell script is called myprog.sh and is in /data/splunk/etc/apps/myprog/bin and consists of the call:

/data/splunk/bin/python3.7m  /data/splunk/etc/apps/myprog/bin/myprog.py

myprog.py just runs a few function calls to see what the current directory and id are and what files it contains and outputs them on STDERR so I can see then in splunkd.log

$>cat myprog.py
#! /data/splunk/bin/python3
import sys
import os
def run() :
    print("CWD ", os.getcwd(), " ID ", os.geteuid(), file=sys.stderr)
    files = os.listdir('.')
    for file in files:
        print (file, file=sys.stderr)
if __name__ == '__main__':
    run()

If run interactively it reports the current directory is /data/splunk/etc/apps/myprog/bin and my id is 2000 (splunk) exactly as I would have expected

If configured and run as through Settings -> Data Input -> Script (set to every 60 seconds), the current directory is reported as / - i.e. the root directory:

03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" CWD  /  ID  2000
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" boot
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" dev
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" home
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" proc
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" run
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" sys
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" tmp
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" var
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" etc
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" root
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" usr
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" bin
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" sbin
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" lib
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" lib64
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" media
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" mnt
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" opt
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" srv
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" .autorelabel
03-05-2020 12:58:04.884 +0100 ERROR ExecProcessor - message from "/data/splunk/etc/apps/myprog/bin/myprog.sh" data

Is this expected behaviour? It seems to me to be worrisome that an app could have access to the entire file system like this - even if as user splunk rather than user root. Furthermore, I guess if someone were to run this script on a system where splunkd was running as root (frowned on, I know), the results could be "interesting".

Any thoughts would be welcome! Thanks.