[Snort-users] Run as user?

Joe Hill joehill at ...3945...
Thu Apr 3 14:14:08 EST 2003

I think I'll leave that whole can of worms unopened. This is just a learning exercise.

Thanks for taking the time to explain this everyone.

Your student,


On Thu, 03 Apr 2003 13:59:08 -0500
Matt Kettler <mkettler at ...4108...> wrote:

> On a Linux system ethernet interfaces have NO filesystem representative at 
> all. They're entirely abstract and in-kernel, and the only way to access 
> them is via system calls. AFAIK this is also true of *BSD type systems (it 
> is true of my OpenBSD system).
> Really, on a Linux box, the only way I know of to give a non-root 
> permissions to do raw ethernet is to either modify the kernel source, or 
> add a module that does it (some of the security patches have capability 
> separation so you can grant raw device IO to a non-root user).
> It should also be noted that whatever user you give said permissions to 
> should be treated as root equivalent, since he who can control a network 
> interface at a pcap level can hijack any connection to the machine quite 
> trivially. This doesn't guarantee that someone logged in to this account 
> will be able to elevate to root, but it does create a LOT more options so 
> you should guard that account's password with the same amount of care as 
> your root account.
>  From a security standpoint you're much better off starting as root, 
> chrooting and setuiding to a non-root user. This way the non-root user 
> doesn't need pcap capabilities, since snort opens that up as root before 
> setuiding. Of course, it sounds like you have other considerations that 
> make you not want to do this as root, but you should be aware of the 
> security issues.
> If the problem you have is that you need a non-admin user to start snort, 
> and you don't want to give them the root password, you might look at tools 
> like sudo.
> At 07:40 AM 4/3/2003 -0500, Erek Adams wrote:
> > > well, I'm a proud member of that group. I cannot find how to give that
> > > group perms on the device though. It's not in /dev...or /proc...where
> > > could it be?
> >
> >I'm not sure about a Linux system, but there is an easy way to find out.
> >Use lsof and see what devices is being used by Snort.
> -------------------------------------------------------
> This SF.net email is sponsored by: ValueWeb: 
> Dedicated Hosting for just $79/mo with 500 GB of bandwidth! 
> No other company gives more support or power for your dedicated server
> http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list