[Snort-devel] snort-2.6.0 Capabilities Patch.

Eric Lauzon eric.lauzon at ...1967...
Wed Jul 5 15:17:24 EDT 2006

Greeting , I am sending this to dev because it is more a proof of
concept than an actual patch, thus
it might turn out to be fine-tuned to work in the futur.

There is 3 file to patch , configure.in , config.h.in and snort.c 
and one capability helper file initcaps.c

Before hand you might need to enable capabilities , if it is done then
skip to the snort part

1) enable capabilities in the kernel 
  (2.6.0 HINT, Security Option -> Enable different security models ->
Default Linux Capabilities[ON])

2) modify kernel include before compiling [ you might want to modify
this in /usr/include/linux/capability.h too]
-#define CAP_INIT_EFF_SET    to_cap_t(~0 & ~CAP_TO_MASK(CAP_SETPCAP))
-#define CAP_INIT_INH_SET    to_cap_t(0)
+#define CAP_INIT_EFF_SET    to_cap_t ( ~0 )
+#define CAP_INIT_INH_SET    to_cap_t ( ~0 )

3) Compile and install libcap (NOT LIBPCAP but libcap)

3) Compile initcaps.c with libcap and fix you boot loader to pass 
    gcc initcaps.c -o initcaps -lcap
    cp initcaps /sbin

   "init=/sbin/initcaps" to the kernel. (gives CAP_SETPCAP to init, so
you now can give/remove capabilities)

4) reboot 

Apply patches

And finaly configure snort
./configure --enable-capabilities <your favorites options>

You might want to use -g <any uid> -u <any uid> while running snort to
have some beneficial behavior, else you might
want to inject some ptrace call somewhere in the process before
SetUidGid() call and see the result by your self, begone hax0r ;)

There is also a minor signal handling change I made to snort.c so you
don't get some odd race sigsegv but that not really important.

Enjoy and have a nice day.

ps: If you have enabled some kind of detached threads inside of snort,
be aware that you might want to unfortunaly move
    pthread_create() code after SetUidGid() code in snort.c. Why!? You
might wonder where and why your thread/s is/are locking on
pthread_exit(),exit(),FatalError() ...



Le present message est a l'usage exclusif du ou des destinataires mentionnes ci-dessus. Son contenu est confidentiel et peut etre assujetti au secret professionnel. Si vous avez recu le present message par erreur, veuillez nous en aviser immediatement et le detruire en vous abstenant d'en faire une copie, d'en divulguer le contenu ou d'y donner suite.


This communication is intended for the exclusive use of the addressee identified above. Its content is confidential and may contain privileged information. If you have received this communication by error, please notify the sender and delete the message without copying or disclosing it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: initcaps.c
Type: application/octet-stream
Size: 1046 bytes
Desc: initcaps.c
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20060705/b3d9e654/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snort.c-patch
Type: application/octet-stream
Size: 13073 bytes
Desc: snort.c-patch
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20060705/b3d9e654/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: config.h.in-patch
Type: application/octet-stream
Size: 424 bytes
Desc: config.h.in-patch
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20060705/b3d9e654/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: configure.in-patch
Type: application/octet-stream
Size: 2328 bytes
Desc: configure.in-patch
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20060705/b3d9e654/attachment-0003.obj>

More information about the Snort-devel mailing list