[Snort-users] chroot vs.setuid

Lawrence Reed Lawrence.Reed at ...1444...
Tue Jul 8 11:02:07 EDT 2003


Hi Scott,

You can run both non-root and chrooted.   I have been doing this for 
sometime, at least since 2.0beta.

My command line looks like:

snort -o -de -c $CHROOT_TO_DIR/conf/snort.conf -i $INTERFACE -t 
$CHROOT_TO_DIR \
         -u snortuser -g snortgroup -U -X -y -l $CHROOT_TO_DIR/data -m 017

I run that command as root so snort can set the interface in promisc and 
chroot() and then setuid()/setgid().


Good luck,
 
Scott Renna wrote:

>Hello Snort Users,
>
>I was wondering from all of you out there if anyone knows if it is
>"better"(more secure) to run Snort as root and use the -t swtich for
>setting up the jail?  Or if it is better to setuid on the binary file
>snort and then drop privileges upon execution?
>
>I am running the chrooted environment on my home system just to see how
>it performs.  I'm not sure which way is more secure.  In the setup with
>setuid set, I have changed the group on the bpf devices to be the snort
>user's group.  This worries me only because a user in snort's group
>would have rw privileges to the bpf devices.  
>
>In the case of the chrooted option, I've found that snort can run just
>fine and access the bpf devices in /dev, even though there is no /dev
>under the new home directory for snort to run in.  
>
>Does anyone have any recommendations on which way would be more safe to
>operate in ?  I've not used chroot too much, but to my knowledge, root
>is the only one that can do it.  Please let me know if anyone has any
>input.
>
>Scott
>
>***************************
>Scott Renna
>Head Systems Administrator
>Dynamic Animation Systems
>703-503-0500
>
>*************************** 
>
>
>
>-------------------------------------------------------
>This SF.Net email sponsored by: Parasoft
>Error proof Web apps, automate testing & more.
>Download & eval WebKing and get a free book.
>www.parasoft.com/bulletproofapps
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>  
>

-- 
Larry Reed  Lawrence.Reed at ...1444...
NOAA IT Security Office
PGP Public Key:  http://search.keyserver.net:11371/pks/lookup?op=get&search=0x7A998772






More information about the Snort-users mailing list