[Snort-users] Chrooting snort
erek at ...577...
Thu Feb 28 22:18:03 EST 2002
On Fri, 1 Mar 2002, Alain Tesio wrote:
> On my machine, snort is killed by a SIGHUP when it's not running as
> root, whether it's in the jail or not:
Right. This is actually as expected, due to the way snort initializes.
> 05:40:13 root ~ #SNORT="/usr/sbin/snort -D -c /etc/snort/snort.conf -l
> /var/log/snort -b -d"
> 05:40:14 root ~ #$SNORT
> 05:40:17 root ~ #pidof snort
> 05:40:22 root ~ #killall -HUP snort
> 05:40:28 root ~ #pidof snort
> 05:40:30 root ~ #killall -KILL snort
Right. As it should.
> 05:40:35 root ~ #$SNORT -u snort -g snort
> 05:41:02 root ~ #pidof snort
> 05:41:05 root ~ #killall -HUP snort
> 05:41:13 root ~ #pidof snort
Again, as expected. Snort drops needs root to bind to the interface. Once
bound, it drops root privs.
> 05:41:17 root ~ #chroot /var/chroot/snort $SNORT
> 05:41:31 root ~ #pidof snort
> 05:41:39 root ~ #killall -HUP snort
> 05:41:44 root ~ #pidof snort
This _shouldn't_ work, but since it's using the chroot command instead of the
'-t <dir>' option, that could be the reason it does. Hrm.... *goes to open
up his C books*
> 05:41:48 root ~ #killall -KILL snort
> 05:41:54 root ~ #chroot /var/chroot/snort $SNORT -u snort -g snort
> 05:42:05 root ~ #pidof snort
> 05:42:11 root ~ #killall -HUP snort
> 05:42:15 root ~ #pidof snort
> 05:42:16 root ~ #
Ok, if I'm following this right, even though it's chrooted, it still needs to
have root privs to open the intereface. Since the user and group is changed
before the call to execv it no longer has root privs and can't open the
interface. Hrm... You might want to try it without the -D option to see what
errors snort is tossing when it gets the signal. Looks like I'll have
something to tinker with this weekend. :)
> Well, with the program I mentioned, if the 8 lines in the
> configuration are fine for your system, you just type
> "makejail examples/snort.py" and you have your jail ready.
I've not grabbed a copy and tinkered with it yet, so I'm going to ask a
possibly dumb question. Does it handle the libs that need to be linked in
with snort? For example, if you compile with mysql support, does it properly
handle the need for libmysqlclient.so.10? I do like the fact that it only
takes 8 lines of config vs. the 4 files that the create_cell script does.
More information about the Snort-users