Splunk takes ownership of a binary file?

leduser · ‎01-12-2013

I'm not a linux expert, but I installed Splunk to take a look. It worked fine. After playing awhile, I noticed that one of my program's permissions had been changed to being owned by splunk!

In the /usr/sbin directory, the mumble program had changed permissions! This happened only to the mumble binary, as well as the mumble statup file in /etc/init.d (same exact permission change)

Server is Ubuntu 10.04 Server. Splunk is latest, downloaded and installed two days ago.

Orig:

-rwxr-xr-x  1 joe  1001   6612323 2011-01-15 19:51 mumble*

Now:

-rwxr-xr-x  1 splunk  admin   6612323 2011-01-15 19:51 mumble*

Tried to fix:

$ chown joe:1001 mumble
ls -l mumble
-rwxr-xr-x  1 joe  splunk   6612323 2011-01-15 19:51 mumble*

$ chgrp root mumble
ls -l mumble
-rwxr-xr-x  1 joe  root   6612323 2011-01-15 19:51 mumble*

$ chgrp 1001 mumble
ls -l mumble
-rwxr-xr-x  1 joe  splunk   6612323 2011-01-15 19:51 mumble*

I don't understand why splunk would take ownership of this file, and why is group 1001 resulting in "splunk"? Admittedly, I'm no linux expert, so I apologize if I'm missing something obvious.

So, I am unable to change the group ownership back to 1001 as it was originally. This is a test machine, but I'm rather concerned that this could happen. Thanks.

Linegod · ‎01-13-2013

Whenever a group shows up as a number, it means that it has not been assigned, and is therefore invalid.

When splunk was installed, it created the splunk group using the next available group number - in this case 1001.

It is not a bug or error, it is how Linux works.

You should really be assigning mumble to a group which exists (look in /etc/group)

Splunk takes ownership of a binary file?

Tried to fix:

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases