Splunk Dev

Unable to get proper file permission of an app package

Mr2022
Explorer

I pack an splunk app by tar command in an linux host, running as a root user. As a result the owner and group owner are both 'root'. After I installed to Splunk Enterprise, I found that the depressed directory and its files are all owned by 'root['. However, other installed app directories and files are belong to 'splunk'. 

So, should I su to splunk first and then pack the app file?

Labels (1)
Tags (2)
0 Karma
1 Solution

sloshburch
Splunk Employee
Splunk Employee

Hiya - My preference is the Splunk Enterprise CLI command . Ideally Splunk isn't running as root so run this as the same user Splunk is running as. I find it does the best job ensuring the package is most compliant. You MAY still need to tweak file and directory permissions, remove hidden files, and clean up any local dir content before you wanna publish it for others.

View solution in original post

0 Karma

PickleRick
SplunkTrust
SplunkTrust

If the app is owned by any user but is world (or at least splunk) readable, it should "mostly work" meaning that splunk will he able to read its contents and apply settings. But you may face problems if the app is more complicated than a simple list of props/transforms. For example if the app is configured from the WebUI and writes its settings into its own local folder. That will of course not work if splunkd does not have permissions to write to that dir.

So long story short - do change your app files/dirs ownership to your splunk user.

0 Karma

sloshburch
Splunk Employee
Splunk Employee

Hiya - My preference is the Splunk Enterprise CLI command . Ideally Splunk isn't running as root so run this as the same user Splunk is running as. I find it does the best job ensuring the package is most compliant. You MAY still need to tweak file and directory permissions, remove hidden files, and clean up any local dir content before you wanna publish it for others.

0 Karma

Mr2022
Explorer

Thanks for your help. I found that I trigger the splunkd as root, not splunk.

0 Karma
Get Updates on the Splunk Community!

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

Enterprise Security Content Update (ESCU) | New Releases

In April, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...