[Snort-users] Run as user?
joehill at ...3945...
Thu Apr 3 14:14:08 EST 2003
I think I'll leave that whole can of worms unopened. This is just a learning exercise.
Thanks for taking the time to explain this everyone.
On Thu, 03 Apr 2003 13:59:08 -0500
Matt Kettler <mkettler at ...4108...> wrote:
> On a Linux system ethernet interfaces have NO filesystem representative at
> all. They're entirely abstract and in-kernel, and the only way to access
> them is via system calls. AFAIK this is also true of *BSD type systems (it
> is true of my OpenBSD system).
> Really, on a Linux box, the only way I know of to give a non-root
> permissions to do raw ethernet is to either modify the kernel source, or
> add a module that does it (some of the security patches have capability
> separation so you can grant raw device IO to a non-root user).
> It should also be noted that whatever user you give said permissions to
> should be treated as root equivalent, since he who can control a network
> interface at a pcap level can hijack any connection to the machine quite
> trivially. This doesn't guarantee that someone logged in to this account
> will be able to elevate to root, but it does create a LOT more options so
> you should guard that account's password with the same amount of care as
> your root account.
> From a security standpoint you're much better off starting as root,
> chrooting and setuiding to a non-root user. This way the non-root user
> doesn't need pcap capabilities, since snort opens that up as root before
> setuiding. Of course, it sounds like you have other considerations that
> make you not want to do this as root, but you should be aware of the
> security issues.
> If the problem you have is that you need a non-admin user to start snort,
> and you don't want to give them the root password, you might look at tools
> like sudo.
> At 07:40 AM 4/3/2003 -0500, Erek Adams wrote:
> > > well, I'm a proud member of that group. I cannot find how to give that
> > > group perms on the device though. It's not in /dev...or /proc...where
> > > could it be?
> >I'm not sure about a Linux system, but there is an easy way to find out.
> >Use lsof and see what devices is being used by Snort.
> This SF.net email is sponsored by: ValueWeb:
> Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
> No other company gives more support or power for your dedicated server
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users