[Snort-users] snort won't daemonize, OpenBSD 4.7

Olaf Schreck chakl at ...931...
Fri Apr 8 16:51:59 EDT 2011

Replying to self with a workaround solution, for the archives

> snort on OpenBSD 4.7, running fine, but won't daemonize.

Is anyone running snort 2.9 on OpenBSD 4.7 or 4.8 who does NOT have this 

I had a look at the daemonize code in util.c and rebuilt snort with 
"CPPFLAGS=-DDEBUG sh configure.sh ..." to see the debug messages.  As 
expected, the daemon parent waits for a "child ready" signal that never 
arrives while the daemon child claims to have sent it.  Signal is 
SIGCONT as defined in snort.h:

     #define SIGNAL_SNORT_CHILD_READY    29

So for some obscure reason, the daemon parent does not see SIGCONT from 
the daemon child.  In the OpenBSD manpage for kill(2) I noticed

     Setuid and setgid processes are dealt with slightly differently.
     For the non-root user, to prevent attacks against such processes,
     some signal deliveries are not permitted and return the error
     EPERM.  The following signals are allowed through to this class

Since SIGCONT was not mentioned in the list above, I tried changing the 
"child-ready" signal to SIGUSR2:

     #define SIGNAL_SNORT_CHILD_READY    31

Works fine as expected.

And no, I did not specify setuid/setgid on the command line or in 
snort.conf, and ran it as root.  I have no idea why SIGCONT is filtered 
here, but SIGUSR2 is not.

> At the
> end of the startup messages it says:
>     Spawning daemon child...
>     My daemon child 3777 lives...
>      0x8151dc00*running     15 -c-------f 0000 main
> but it doesn't come back to the shell prompt.  I can ^C out and see the
> snort child process.  With ^Z, I see 2 snort processes.  Obviously the
> parent won't exit while daemonizing.  Any clues why?
> The daemonized child runs and alerts just fine.
> This happens regardless whether I use -D on the cmdline, "config daemon"
> in snort.conf, or both.

More information about the Snort-users mailing list