[Snort-users] Run as user?
mkettler at ...4108...
Thu Apr 3 11:03:14 EST 2003
On a Linux system ethernet interfaces have NO filesystem representative at
all. They're entirely abstract and in-kernel, and the only way to access
them is via system calls. AFAIK this is also true of *BSD type systems (it
is true of my OpenBSD system).
Really, on a Linux box, the only way I know of to give a non-root
permissions to do raw ethernet is to either modify the kernel source, or
add a module that does it (some of the security patches have capability
separation so you can grant raw device IO to a non-root user).
It should also be noted that whatever user you give said permissions to
should be treated as root equivalent, since he who can control a network
interface at a pcap level can hijack any connection to the machine quite
trivially. This doesn't guarantee that someone logged in to this account
will be able to elevate to root, but it does create a LOT more options so
you should guard that account's password with the same amount of care as
your root account.
From a security standpoint you're much better off starting as root,
chrooting and setuiding to a non-root user. This way the non-root user
doesn't need pcap capabilities, since snort opens that up as root before
setuiding. Of course, it sounds like you have other considerations that
make you not want to do this as root, but you should be aware of the
If the problem you have is that you need a non-admin user to start snort,
and you don't want to give them the root password, you might look at tools
At 07:40 AM 4/3/2003 -0500, Erek Adams wrote:
> > well, I'm a proud member of that group. I cannot find how to give that
> > group perms on the device though. It's not in /dev...or /proc...where
> > could it be?
>I'm not sure about a Linux system, but there is an easy way to find out.
>Use lsof and see what devices is being used by Snort.
More information about the Snort-users