For a newly installed Bro 2.4 beta, issuing "broctl --help" yields the cryptic output:
Error: unable to open database file: /usr/local/bro/spool/state.db
No, I don't have write access. I had expected that ordinary users can run Bro after it's installed - is that wrong? (In any case, the error message sure is cryptic!)
I installed from source.
I think the problem is that you need to be superuser to install in /usr/local,
but when you do that then all of the installed files/directories are owned by root.
The user who runs broctl needs write access to the <prefix>/logs and <prefix>/spool
directories. I always run as an ordinary user and I just install to that user's home directory.
@vern: an ordinary user can use "bro", but not necessarily broctl, as that keeps state information. That's generally ok, I think.
@daniel: would be good if "broctl --help" worked for any user, independent of being root and who installed it. That shouldn't be difficult, no? Also, for other commands, could you add a check that makes sure the user running broctl has the right permissions, and give an corresponding error message otherwise?
@robin: yeah, I think that's fine. I just want the error message to be clear!
This issue is addressed by BIT-1403. I've improved the broctl documentation, improved the SQLite database file error messages, and added "broctl help" output when a user types an unknown command (such as "broctl --help").