Is there a way to run Edge as non-root while still being able to monitor all files?

Jon Rust

I really dislike running any service as root. But Edge needs to access files all over my system. Is there a way to address both requirements?

Jon Rust

You can set the CAP_DAC_READ_SEARCH ability as with allowing sub 1024 port numbers. Run systemctl edit cribl-edgeand add the CAP_DAC_READ_SEARCH capability. Save the file and restart Cribl Edge:

[Service]
AmbientCapabilities=CAP_DAC_READ_SEARCH

Wayne Gillo

You could create facl rules to allow the user running Edge to various parts of the file system. There's really nothing stopping you from having that user access every location on disk, but it would be a fairly challenging facl to write.

To do this for the /var/log directory, you can run the following:
setfacl -m user<user>:rx /var/log

Jon Rust

You can set the CAP_DAC_READ_SEARCH ability as with allowing sub 1024 port numbers. Run systemctl edit cribl-edgeand add the CAP_DAC_READ_SEARCH capability. Save the file and restart Cribl Edge:

[Service]
AmbientCapabilities=CAP_DAC_READ_SEARCH

Jon Rust

https://community.cribl.io/discussion/comment/478#Comment_478

Excellent alternative!

Brendan Dalpe

We have the method @Wayne Gillo is describing documented here: https://docs.cribl.io/edge/usecase-edge-acls

Srinivasa Kotikelapudi

You can find more details in the documentation - https://docs.cribl.io/edge/deploy-runtime-user