[Snort-devel] Snort v1.8.1 portscan.log owner problem?

Fyodor fygrave at ...1...
Sat Sep 1 10:36:03 EDT 2001

On Thu, Aug 23, 2001 at 03:55:48AM -0400, JP Vossen wrote:
> Snort Ver: 1.8.1
> System Architecture: x86
> Operating System and version: RedHat Linux 7.1
> What rules (if any) you were using:
> http://snort.sourcefire.com/downloads/snortrules.tar.gz
> What command line switches you were using:
>   daemon /usr/sbin/snort -u snort -g snort -s -d -D -A fast -i $INTERFACE -l \
>   /var/log/snort -c /etc/snort/snort.conf
> More environment details: I'm using my own RPM (since I couldn't find a v1.8.1
> RPM); get it at http://www.jpsdomain.org/public/public.html#rpms
> I noticed that snort creates in /var/log/snort/:
>    -rw-------    1 root     root            0 Aug 23 02:58 portscan.log
> But I'm running "-u snort -g snort".  The docs say that -u/-g "Change the xID
> Snort runs under to YYYY after initialization. This switch allows Snort to
> drop root priveleges after it's initialization phase has completed as a
> security measure."
> To me, this means that when snort tries to write to portscan.log it'll fail,
> yet I just tested it and it wrote to the file fine, even though ps shows it
> running as user snort.  Am I missing something or did I screw up when I built
> the RPM or what?

When snort opens a file, it writes into the file through the
filedescriptor. At this point file permissions do not matter, as long as
file remains opened. (you even can delete file, snort would still be
writing into it, although when snort closes the file, the contents will
be gone :))

PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1

More information about the Snort-devel mailing list