[Snort-users] chroot vs.setuid
Lawrence.Reed at ...1444...
Tue Jul 8 11:02:07 EDT 2003
You can run both non-root and chrooted. I have been doing this for
sometime, at least since 2.0beta.
My command line looks like:
snort -o -de -c $CHROOT_TO_DIR/conf/snort.conf -i $INTERFACE -t
-u snortuser -g snortgroup -U -X -y -l $CHROOT_TO_DIR/data -m 017
I run that command as root so snort can set the interface in promisc and
chroot() and then setuid()/setgid().
Scott Renna wrote:
>Hello Snort Users,
>I was wondering from all of you out there if anyone knows if it is
>"better"(more secure) to run Snort as root and use the -t swtich for
>setting up the jail? Or if it is better to setuid on the binary file
>snort and then drop privileges upon execution?
>I am running the chrooted environment on my home system just to see how
>it performs. I'm not sure which way is more secure. In the setup with
>setuid set, I have changed the group on the bpf devices to be the snort
>user's group. This worries me only because a user in snort's group
>would have rw privileges to the bpf devices.
>In the case of the chrooted option, I've found that snort can run just
>fine and access the bpf devices in /dev, even though there is no /dev
>under the new home directory for snort to run in.
>Does anyone have any recommendations on which way would be more safe to
>operate in ? I've not used chroot too much, but to my knowledge, root
>is the only one that can do it. Please let me know if anyone has any
>Head Systems Administrator
>Dynamic Animation Systems
>This SF.Net email sponsored by: Parasoft
>Error proof Web apps, automate testing & more.
>Download & eval WebKing and get a free book.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
Larry Reed Lawrence.Reed at ...1444...
NOAA IT Security Office
PGP Public Key: http://search.keyserver.net:11371/pks/lookup?op=get&search=0x7A998772
More information about the Snort-users