Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unable to get proper file permission of an app package

Mr2022
Explorer
‎02-17-2022 05:30 PM

I pack an splunk app by tar command in an linux host, running as a root user. As a result the owner and group owner are both 'root'. After I installed to Splunk Enterprise, I found that the depressed directory and its files are all owned by 'root['. However, other installed app directories and files are belong to 'splunk'. 

So, should I su to splunk first and then pack the app file?

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sloshburch
Ultra Champion
‎02-17-2022 06:12 PM

Hiya - My preference is the Splunk Enterprise CLI command . Ideally Splunk isn't running as root so run this as the same user Splunk is running as. I find it does the best job ensuring the package is most compliant. You MAY still need to tweak file and directory permissions, remove hidden files, and clean up any local dir content before you wanna publish it for others.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎02-17-2022 10:05 PM

If the app is owned by any user but is world (or at least splunk) readable, it should "mostly work" meaning that splunk will he able to read its contents and apply settings. But you may face problems if the app is more complicated than a simple list of props/transforms. For example if the app is configured from the WebUI and writes its settings into its own local folder. That will of course not work if splunkd does not have permissions to write to that dir.

So long story short - do change your app files/dirs ownership to your splunk user.

0 Karma
Reply
Solved! Jump to solution
Solution

sloshburch
Ultra Champion
‎02-17-2022 06:12 PM

Hiya - My preference is the Splunk Enterprise CLI command . Ideally Splunk isn't running as root so run this as the same user Splunk is running as. I find it does the best job ensuring the package is most compliant. You MAY still need to tweak file and directory permissions, remove hidden files, and clean up any local dir content before you wanna publish it for others.

0 Karma
Reply
Solved! Jump to solution

Mr2022
Explorer
‎02-20-2022 07:29 PM

Thanks for your help. I found that I trigger the splunkd as root, not splunk.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...