However, I am encountering an issue with the notification-file plugin. It seems that this process is running as the user “nobody,” as specified in my config.yaml:
plugin_config:
user: nobody # plugin process would be run on behalf of this user
group: nogroup # plugin process would be run on behalf of this group
When I launch the plugin for debugging, it attempts to use the /tmp folder of the root user:
└──╼ cscli notifications test file_default --debug
DEBU[2024-10-17T18:55:23+02:00] Using /etc/crowdsec/config.yaml as configuration file
DEBU[2024-10-17T18:55:23+02:00] Enabled feature flags: <none>
DEBU Console configuration '/etc/crowdsec/console.yaml' loaded successfully
DEBU Executing plugin /usr/lib/crowdsec/plugins/notification-file
DEBU[0000] starting plugin args="[/usr/lib/crowdsec/plugins/notification-file]" path=/usr/lib/crowdsec/plugins/notification-file
DEBU[0000] plugin started path=/usr/lib/crowdsec/plugins/notification-file pid=33587
DEBU[0000] waiting for RPC address path=/usr/lib/crowdsec/plugins/notification-file
ERRO[0000] plugin init error @module=file-plugin error="open /tmp/user/0/plugin3568862350: permission denied"
FATA while loading plugin: Unrecognized remote plugin message:
This usually means
the plugin was not compiled for this architecture,
the plugin is missing dynamic-link libraries necessary to run,
the plugin is not executable by this process due to file permissions, or
the plugin failed to negotiate the initial go-plugin protocol handshake
Additional notes about the plugin:
Path: /usr/lib/crowdsec/plugins/notification-file
Mode: -rwxr-xr-x
Owner: 0 [root] (current: 0 [root])
Group: 0 [root] (current: 0 [root])
ELF architecture: EM_X86_64 (current architecture: amd64)
When I add rwx permissions for others on my /tmp/run/0 folder, it works, but this raises security concerns.
Am I making a mistake in my configuration, or is this a bug?
When you run the cscli notifications test command are you running as root or your user account? as under the hood cscli is spinning up a temporary notifications pipeline so it could be that it is reusing the same /tmp folder as the actual crowdsec process that is running as root but I would be surprised if that is the case.
Might be good if you can provide distro, arch and a few way to replicate as currently from my own tests I have no issues.
DEBU[2024-10-18T12:47:51+02:00] Using /etc/crowdsec/config.yaml as configuration file
DEBU[2024-10-18T12:47:51+02:00] Enabled feature flags: <none>
DEBU Console configuration '/etc/crowdsec/console.yaml' loaded successfully
DEBU Executing plugin /usr/lib/crowdsec/plugins/notification-file
DEBU[0000] starting plugin args="[/usr/lib/crowdsec/plugins/notification-file]" path=/usr/lib/crowdsec/plugins/notification-file
DEBU[0000] plugin started path=/usr/lib/crowdsec/plugins/notification-file pid=10658
DEBU[0000] waiting for RPC address path=/usr/lib/crowdsec/plugins/notification-file
ERRO[0001] plugin init error @module=file-plugin error="open /tmp/user/0/plugin2554856807: permission denied"
FATA while loading plugin: Unrecognized remote plugin message:
This usually means
the plugin was not compiled for this architecture,
the plugin is missing dynamic-link libraries necessary to run,
the plugin is not executable by this process due to file permissions, or
the plugin failed to negotiate the initial go-plugin protocol handshake
Additional notes about plugin:
Path: /usr/lib/crowdsec/plugins/notification-file
Mode: -rwxr-xr-x
Owner: 0 [root] (current: 0 [root])
Group: 0 [root] (current: 0 [root])
ELF architecture: EM_X86_64 (current architecture: amd64)
Command execute as nobody
└──╼ cscli notifications test file_default --debug
DEBU[2024-10-18T12:49:03+02:00] Using /etc/crowdsec/config.yaml as configuration file
DEBU[2024-10-18T12:49:03+02:00] Enabled feature flags: <none>
FATA failed to load Local API: loading online client credentials: open /etc/crowdsec/online_api_credentials.yaml: permission denied
Hi, I wanted to follow up and ask if you managed to find a solution to the issue. Let me know, thanks ! I have the same problem, I am tring to send crowdsec alerts in wazuh.