[Snort-users] snort 184.108.40.206 won't daemonize, OpenBSD 4.7
chakl at ...931...
Fri Apr 8 16:51:59 EDT 2011
Replying to self with a workaround solution, for the archives
> snort 220.127.116.11 on OpenBSD 4.7, running fine, but won't daemonize.
Is anyone running snort 2.9 on OpenBSD 4.7 or 4.8 who does NOT have this
I had a look at the daemonize code in util.c and rebuilt snort with
"CPPFLAGS=-DDEBUG sh configure.sh ..." to see the debug messages. As
expected, the daemon parent waits for a "child ready" signal that never
arrives while the daemon child claims to have sent it. Signal is
SIGCONT as defined in snort.h:
#define SIGNAL_SNORT_CHILD_READY 29
So for some obscure reason, the daemon parent does not see SIGCONT from
the daemon child. In the OpenBSD manpage for kill(2) I noticed
Setuid and setgid processes are dealt with slightly differently.
For the non-root user, to prevent attacks against such processes,
some signal deliveries are not permitted and return the error
EPERM. The following signals are allowed through to this class
of processes: SIGKILL, SIGINT, SIGTERM, SIGSTOP, SIGTTIN, SIGTTOU,
SIGTSTP, SIGHUP, SIGUSR1, SIGUSR2.
Since SIGCONT was not mentioned in the list above, I tried changing the
"child-ready" signal to SIGUSR2:
#define SIGNAL_SNORT_CHILD_READY 31
Works fine as expected.
And no, I did not specify setuid/setgid on the command line or in
snort.conf, and ran it as root. I have no idea why SIGCONT is filtered
here, but SIGUSR2 is not.
> At the
> end of the startup messages it says:
> Spawning daemon child...
> My daemon child 3777 lives...
> 0x8151dc00*running 15 -c-------f 0000 main
> but it doesn't come back to the shell prompt. I can ^C out and see the
> snort child process. With ^Z, I see 2 snort processes. Obviously the
> parent won't exit while daemonizing. Any clues why?
> The daemonized child runs and alerts just fine.
> This happens regardless whether I use -D on the cmdline, "config daemon"
> in snort.conf, or both.
More information about the Snort-users