[Snort-users] snort 2.9.0.4 won't daemonize, OpenBSD 4.7

Olaf Schreck chakl at ...931...
Fri Apr 8 16:51:59 EDT 2011


Replying to self with a workaround solution, for the archives

> snort 2.9.0.4 on OpenBSD 4.7, running fine, but won't daemonize.

Is anyone running snort 2.9 on OpenBSD 4.7 or 4.8 who does NOT have this 
problem?

I had a look at the daemonize code in util.c and rebuilt snort with 
"CPPFLAGS=-DDEBUG sh configure.sh ..." to see the debug messages.  As 
expected, the daemon parent waits for a "child ready" signal that never 
arrives while the daemon child claims to have sent it.  Signal is 
SIGCONT as defined in snort.h:

     #define SIGNAL_SNORT_CHILD_READY    29

So for some obscure reason, the daemon parent does not see SIGCONT from 
the daemon child.  In the OpenBSD manpage for kill(2) I noticed

     Setuid and setgid processes are dealt with slightly differently.
     For the non-root user, to prevent attacks against such processes,
     some signal deliveries are not permitted and return the error
     EPERM.  The following signals are allowed through to this class
     of processes: SIGKILL, SIGINT, SIGTERM, SIGSTOP, SIGTTIN, SIGTTOU,
     SIGTSTP, SIGHUP, SIGUSR1, SIGUSR2.

Since SIGCONT was not mentioned in the list above, I tried changing the 
"child-ready" signal to SIGUSR2:

     #define SIGNAL_SNORT_CHILD_READY    31

Works fine as expected.

And no, I did not specify setuid/setgid on the command line or in 
snort.conf, and ran it as root.  I have no idea why SIGCONT is filtered 
here, but SIGUSR2 is not.



> At the
> end of the startup messages it says:
>
>     Spawning daemon child...
>     My daemon child 3777 lives...
>      0x8151dc00*running     15 -c-------f 0000 main
>
> but it doesn't come back to the shell prompt.  I can ^C out and see the
> snort child process.  With ^Z, I see 2 snort processes.  Obviously the
> parent won't exit while daemonizing.  Any clues why?
>
> The daemonized child runs and alerts just fine.
>
> This happens regardless whether I use -D on the cmdline, "config daemon"
> in snort.conf, or both.




More information about the Snort-users mailing list