Ubuntu
libcap2 package

changing capabilities via setcap prevents local library path for loading linked libraries

Asked by CP Scott on 2010-07-27

I'm trying to install Splunk on Lucid, using libcap2-bin tools to give splunkd access to open ports 443 and 514, without requiring root privileges.

This splunk page [1] indicates that it could be possible, but does not show that anyone was successful in achieving this.

I read the man page, and this page [2] to find a way to make it work.

I used the kernel module 'capable_probe' from here [3] to determine that /opt/splunk/bin/splunkd is requesting permission 12, CAP_NET_ADMIN.

When I modified splunkd to have the correct permissions, splunkd will hang and fail to start, because it can not find the pcre libraries in /opt/splunk/lib. If I remove the setcap permissions, splunkd starts just fine.

How can I get splunkd to recognize it's local linked libraries?

$ sudo setcap 'cap_net_bind_service=+ep' /opt/splunk/bin/splunkd

$ sudo modprobe capable_probe
WARNING: All config files need .conf: /etc/modprobe.d/lrm-video, it will be ignored in a future release.

$ jobs
[1]+ Running tail -f /var/log/messages &

$ sudo /etc/init.d/splunk restart

Jul 27 11:34:20 sea-splunk01 kernel: [67237.770215] cr_capable: asking for capability 197718528 for bash
Jul 27 11:34:20 sea-splunk01 kernel: [67237.770226] cr_capable: asking for capability 197720832 for bash
Jul 27 11:34:20 sea-splunk01 kernel: [67237.770229] cr_capable: asking for capability 197720832 for bash

Restarting Splunk...
splunkweb is not running.
Stopping splunkd...
Shutting down. Please wait, as this may take a few minutes.
Jul 27 11:34:22 sea-splunk01 kernel: [67239.956315] cr_capable: asking for capability 194287232 for sudo
Jul 27 11:34:22 sea-splunk01 kernel: [67239.956324] cr_capable: asking for capability 194281856 for sudo
Jul 27 11:34:22 sea-splunk01 kernel: [67239.956329] cr_capable: asking for capability 194284928 for sudo
Jul 27 11:34:22 sea-splunk01 kernel: [67239.956352] cr_capable: asking for capability 260497088 for sudo
Jul 27 11:34:22 sea-splunk01 kernel: [67239.957948] cr_capable: asking for capability 260490752 for sudo
Jul 27 11:34:22 sea-splunk01 kernel: [67239.957968] cr_capable: asking for capability 305859968 for sudo
Jul 27 11:34:22 sea-splunk01 kernel: [67239.957974] cr_capable: asking for capability 305857280 for sudo
Jul 27 11:34:22 sea-splunk01 kernel: [67239.957987] cr_capable: asking for capability 305863808 for sudo
Jul 27 11:34:22 sea-splunk01 kernel: [67239.958825] cr_capable: asking for capability 305859392 for sudo
Jul 27 11:34:22 sea-splunk01 kernel: [67239.958830] cr_capable: asking for capability 305856896 for sudo
Jul 27 11:34:22 sea-splunk01 kernel: [67239.960462] cr_capable: asking for capability 206681152 for sudo
Jul 27 11:34:22 sea-splunk01 kernel: [67239.960470] cr_capable: asking for capability 206677888 for sudo
Jul 27 11:34:22 sea-splunk01 kernel: [67239.964484] cr_capable: asking for capability 263122112 for su
Jul 27 11:34:22 sea-splunk01 kernel: [67239.964578] cr_capable: asking for capability 283436736 for su
Jul 27 11:34:22 sea-splunk01 kernel: [67239.964805] cr_capable: asking for capability 283435584 for su
.
Stopping splunk helpers...

Done.

Splunk> The IT Search Engine.

Checking prerequisites...
Checking http port [443]: open
Checking mgmt port [8089]: open
Checking configuration... Done.
Checking index directory... Done.
Checking databases...
Validated databases: _audit, _blocksignature, _internal, _thefishbucket, history, main, sample, summary
All preliminary checks passed.

splunkd: error while loading shared libraries: libpcre.so.0: cannot open shared object file: No such file or directory

[1] http://answers.splunk.com/questions/1566/can-i-run-splunkweb-on-port-80-on-linux-without-running-as-root
[2] http://www.friedhoff.org/posixfilecaps.html
[3] http://www.friedhoff.org/downloads.html