[Snort-users] Run as user?

Matt Kettler mkettler at ...4108...
Thu Apr 3 11:03:14 EST 2003

On a Linux system ethernet interfaces have NO filesystem representative at 
all. They're entirely abstract and in-kernel, and the only way to access 
them is via system calls. AFAIK this is also true of *BSD type systems (it 
is true of my OpenBSD system).

Really, on a Linux box, the only way I know of to give a non-root 
permissions to do raw ethernet is to either modify the kernel source, or 
add a module that does it (some of the security patches have capability 
separation so you can grant raw device IO to a non-root user).

It should also be noted that whatever user you give said permissions to 
should be treated as root equivalent, since he who can control a network 
interface at a pcap level can hijack any connection to the machine quite 
trivially. This doesn't guarantee that someone logged in to this account 
will be able to elevate to root, but it does create a LOT more options so 
you should guard that account's password with the same amount of care as 
your root account.

 From a security standpoint you're much better off starting as root, 
chrooting and setuiding to a non-root user. This way the non-root user 
doesn't need pcap capabilities, since snort opens that up as root before 
setuiding. Of course, it sounds like you have other considerations that 
make you not want to do this as root, but you should be aware of the 
security issues.

If the problem you have is that you need a non-admin user to start snort, 
and you don't want to give them the root password, you might look at tools 
like sudo.

At 07:40 AM 4/3/2003 -0500, Erek Adams wrote:
> > well, I'm a proud member of that group. I cannot find how to give that
> > group perms on the device though. It's not in /dev...or /proc...where
> > could it be?
>I'm not sure about a Linux system, but there is an easy way to find out.
>Use lsof and see what devices is being used by Snort.

More information about the Snort-users mailing list