Getting Data In

/bin/false as loginshell for splunkforwarder

HansWurscht
Path Finder

Hi,

is it possible to use /bin/false as a loginshell for the user running splunkforwarder?

The splunkforwarder process seems to work with /bin/false, but running enable boot-start as root doesn't seem to work:

# /opt/splunkforwarder/bin/splunk enable boot-start -user splunk
This account is currently not available.
First-time-run has not finished.  Ignore this error when previewing migration - exiting.

Can someone confirm this behaviour?

Thanks!

0 Karma

edoardo_vicendo
Contributor

As of today on a CentOS 6 server we tested to modify the shell for splunk user from /bin/bash to /sbin/nologin

On this server it is running the Splunk Universal Forwarder.

After having modified the /etc/passwd file and restarted the Splunk Universal Forwarder it is still working, as well as the scripts directly launched by it.

#to modify the shell
usermod -s /sbin/nologin splunk

#to restart the Universal Forwarder
/etc/init.d/splunk restart

 

0 Karma

dshakespeare_sp
Splunk Employee
Splunk Employee

There issue will be different depending on the version of Splunk

Prior to 6.1""/splunks/splunkforwarder/bin/splunk" start --no-prompt --answer-yes would create line in init.d/splunk like

/bin/su - shaky -c "\"/splunks/splunkforwarder/bin/splunk\" start --no-prompt --answer-yes"

At 6.1 things changed a lot. splunk enable boot-start -user shaky now creates a script like
"/splunks/splunkforwarder/bin/splunk" start --no-prompt --answer-yes
Note there is no "su" here The user name is taken from SPLUNK_OS_USER in launch.conf

Using the the pre 6.1 method with a user that has a /bin/false shell will be problematic as /bin/sh - shaky -c it interpretated as
$SHELL -c after "su is run and /bin/false -c will fail

0 Karma

echalex
Builder

Hi HansWurscht,

When you un the enable boot-start, splunk creates the file splunk-launch.conf in /opt/splunkforwarder/etc. The problem seems to be that splunk needs a shell to create this file, so it has the privileges of the splunk user. I can't say whether this is a bug in splunk.

Apart from temporarily enabling a login shell to the splunk user and disabling it immediately after, you can also run the enable command without the -user option and manually edit splunk-launch.conf.

  1. # /opt/splunkforwarder/bin/splunk enable boot-start
  2. edit /opt/splunkforwarder/etc/splunk-launch.conf
  3. make sure it has the line: SPLUNK_OS_USER = splunk
  4. possibly chown splunk:splunk /opt/splunkforwarder/etc/splunk-launch.conf
  5. At least, make sure the splunk user can read the file

Out of curiosity, which OS are you using? This seems to affect at least Debian-based systems.

0 Karma

felipetesta
Path Finder

Have you tried to enable boot start while splunk user still has a valid shell, and then changing it back to /bin/false? Does it start at reboot (or "service start splunk")?

0 Karma

HansWurscht
Path Finder

No. For a clean install process, this should not be needed.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...