cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
_splunkster
Engager
Member since: ‎01-11-2021
‎08-11-2021
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎01-11-2021
View All

Re: Should Splunk honor umask when creating files?

by in Installation
‎08-05-2021 03:38 PM
‎08-05-2021 03:38 PM
The ec2-user is used to access the Linux instance when it is running, but the ec2-user is not used in anyway for the question I'm posing. My expectation is that the Splunk process(es) should honor the umask of the Linux user account under which they are running. Using this AMI, Splunk's processes are running under a Linux user account named splunk which has a umask of 0002. When Splunk software creates new files, the file permissions are set to 600 which does not align with this umask -- it's as if these file permissions are being controlled through Splunk software, and not by OS configuration. If you are asking if my touch test2.xml example was done under the ec2-user account, no it was done as the splunk user. ... View more

Should Splunk honor umask when creating files?

by in Installation
‎01-11-2021 11:37 AM
‎01-11-2021 11:37 AM
I stood up a clean install of Splunk in AWS using their latest published AMI (currently Splunk Enterprise 8.1.1 running on Amazon Linux 2). This install has a local user named splunk (with a group named splunk) under which the splunkd process is running.   $ top -u splunk PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 4613 splunk 20 0 630312 166068 54880 S 0.7 1.0 0:49.25 splunkd 4766 splunk 20 0 105488 13984 5168 S 0.3 0.1 0:01.60 splunkd 4795 splunk 20 0 1642752 65616 28848 S 0.3 0.4 0:13.24 mongod 4874 splunk 20 0 2669968 68704 15300 S 0.0 0.4 0:06.45 python3.7 5154 splunk 20 0 197692 53536 42432 S 0.0 0.3 0:03.05 splunkd   With the instance running, without making any changes, it appears that all new files created by Splunk are getting 600 file permissions. For example, using the web interface under the default admin account and creating a new app-shared dashboard named test results in the following file/permissions:   $ ls -al /opt/splunk/etc/apps/search/local/data/ui/views/ total 4 drwx------ 2 splunk splunk 22 Jan 11 18:53 . drwx------ 3 splunk splunk 19 Jan 11 18:53 .. -rw------- 1 splunk splunk 46 Jan 11 18:53 test.xml   This is not aligned with the umask value of the splunk user. e.g.,   $ id uid=1001(splunk) gid=1001(splunk) groups=1001(splunk) $ umask 0002 $ cd /opt/splunk/etc/apps/search/local/data/ui/views/ $ touch test2.xml && ls -al total 4 drwx------ 2 splunk splunk 39 Jan 11 19:23 . drwx------ 3 splunk splunk 19 Jan 11 18:53 .. -rw-rw-r-- 1 splunk splunk 0 Jan 11 19:23 test2.xml -rw------- 1 splunk splunk 46 Jan 11 18:53 test.xml   Is this behavior of creating files with owner-restricted permissions (not matching configured umask) expected? If yes (working as expected), is there somewhere in Splunk where these default file permissions can be configured? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎08-11-2021 01:05 PM