New value for 'socket' config does not create file, default value keep being used

[filiagees]

Bug report

What operating system and version are you using?

osqueryi --line "SELECT version, build, platform FROM os_version;"
 version = Red Hat Enterprise Linux release 8.8 (Ootpa)
   build =
platform = rhel

What version of osquery are you using?

osqueryi --line "SELECT version from osquery_info;"
version = 5.11.0

What steps did you take to reproduce the issue?

• add an entry "socket": "/tmp/osqueryd.sock.em", inside "config" block, in file /etc/osquery/osquery.conf
• restart daemon, eg: service osqueryd restart
• check for the "value" column applied: osqueryi "SELECT * FROM osquery_flags where name = 'extensions_socket';"
• validate the file type of columns "default_value" and "value": file /var/osquery/osquery.em /tmp/osqueryd.sock.em

What did you expect to see?

I expect to see the file of "default_value" column as not present in filesystem; and the file in "value" column as a socket. eg:

/var/osquery/osquery.em: cannot open `/var/osquery/osquery.em' (No such file or directory)
/tmp/osqueryd.sock.em:   socket

What did you see instead?

I see the opposite: the "default_value" as a socket file, and nothing is created with the new config.

/var/osquery/osquery.em: socket
/tmp/osqueryd.sock.em:   cannot open `/tmp/osqueryd.sock.em' (No such file or directory)

[Smjert]

Hey @filiagees, this is not a bug; socket (or the full name extensions_socket) is a CLI_FLAG, which means it can only be set/changed via CLI when launching osquery or via the flagfile.
In the logs you should be seeing a warning that says "The CLI only flag --socket set via config file will be ignored, please use a flagfile or pass it to the process at startup"

In the past this was not enforced (incorrectly), while from 5.4.0 and on this has been changed.

[filiagees]

@Smjert thanks for such a fast reply,

You are right, when I set --extensions_socket=/tmp/osqueryd_cliflag.sock in "osquery.flags", the socket is created ok. ✅

---

On the other hand, running a select * from osquery_flags where name = 'extensions_socket' still¹ shows inconsistent 'default_value'/'value' columns (none of the files mentioned were created).

¹details (click to expand)

Config

added to 'config' block, in /etc/osquery/osquery.conf:

"socket": "/tmp/osqueryd_configfile.sock",

cat /etc/osquery/osquery.flags:

--extensions_socket=/tmp/osqueryd_cliflag.sock
--verbose

Result:

# osqueryi "SELECT * FROM osquery_flags where name = 'extensions_socket';"
+-------------------+--------+-------------------------------------------+-------------------------+-------------------------------+------------+
| name              | type   | description                               | default_value           | value                         | shell_only |
+-------------------+--------+-------------------------------------------+-------------------------+-------------------------------+------------+
| extensions_socket | string | Path to the extensions UNIX domain socket | /var/osquery/osquery.em | /tmp/osqueryd_configfile.sock | 0          |
+-------------------+--------+-------------------------------------------+-------------------------+-------------------------------+------------+


# file /var/osquery/osquery.em /tmp/osqueryd_configfile.sock
/var/osquery/osquery.em:       cannot open `/var/osquery/osquery.em' (No such file or directory)
/tmp/osqueryd_configfile.sock: cannot open `/tmp/osqueryd_configfile.sock' (No such file or directory)

# file /tmp/osqueryd_cliflag.sock
/tmp/osqueryd_cliflag.sock: socket

If you think it's neither a bug nor a doc issue, I will close this issue.
But I'm afraid it might confuse some people (eg. myself ☺️).

[Smjert]

The default value is correct, it's whatever it's set to when you don't pass that flag (which is hardcoded), but the value it shows it's indeed wrong.
I wonder if it's because it doesn't recognize the alias of a CLI flag as a CLI flag.