I'm not a linux expert, but I installed Splunk to take a look. It worked fine. After playing awhile, I noticed that one of my program's permissions had been changed to being owned by splunk!
In the /usr/sbin directory, the mumble program had changed permissions! This happened only to the mumble binary, as well as the mumble statup file in /etc/init.d (same exact permission change)
Server is Ubuntu 10.04 Server. Splunk is latest, downloaded and installed two days ago.
Orig:
-rwxr-xr-x 1 joe 1001 6612323 2011-01-15 19:51 mumble*
Now:
-rwxr-xr-x 1 splunk admin 6612323 2011-01-15 19:51 mumble*
$ chown joe:1001 mumble
ls -l mumble
-rwxr-xr-x 1 joe splunk 6612323 2011-01-15 19:51 mumble*
$ chgrp root mumble
ls -l mumble
-rwxr-xr-x 1 joe root 6612323 2011-01-15 19:51 mumble*
$ chgrp 1001 mumble
ls -l mumble
-rwxr-xr-x 1 joe splunk 6612323 2011-01-15 19:51 mumble*
I don't understand why splunk would take ownership of this file, and why is group 1001 resulting in "splunk"? Admittedly, I'm no linux expert, so I apologize if I'm missing something obvious.
So, I am unable to change the group ownership back to 1001 as it was originally. This is a test machine, but I'm rather concerned that this could happen. Thanks.
Whenever a group shows up as a number, it means that it has not been assigned, and is therefore invalid.
When splunk was installed, it created the splunk group using the next available group number - in this case 1001.
It is not a bug or error, it is how Linux works.
You should really be assigning mumble to a group which exists (look in /etc/group)