[Snort-users] chroot vs.setuid

Slighter, Tim tslighter at ...5174...
Tue Jul 8 11:04:07 EDT 2003

we run with the setuid switch for snort (-u -g) and then set the appropriate
directory privileges for the specific group/user.  From our security
perspective, this is a somewhat accetable risk in that the setuid privilege
that snort runs on is extremely limited and has access to only the
directories (/var/log/snort and /etc/snort).  In light of any potential
exploits such as the RPC, any intruder running a successful exploit and
gaining the privileges of the user running the service, will acquire only
the rights of that user account/group.  If you wish to go to extremes on
paranoia, provide the user with a restricted shell as well.  As for the
devices, it appears that this a "no win" situation.  if the group/user has
privileged access to the interface then any successful exploit will allow
that user to change the properties of the interface and most likely provide
them access to many binaries that could get them further into your network.
On the other hand, if running as root, then the intruder would have the
ability to change the properties of the interface and access to many other
binaries that the other user would not provide access to and that would not
be a highly desirable outcome.  Perhaps a way to circumvent this further
would be to implement sudo and secure the "ifconfig" binary for that user?

-----Original Message-----
From: Scott Renna [mailto:srenna at ...9588...]
Sent: Tuesday, July 08, 2003 11:07 AM
To: Snort-users at lists.sourceforge.net
Subject: [Snort-users] chroot vs.setuid

Hello Snort Users,

I was wondering from all of you out there if anyone knows if it is
"better"(more secure) to run Snort as root and use the -t swtich for
setting up the jail?  Or if it is better to setuid on the binary file
snort and then drop privileges upon execution?

I am running the chrooted environment on my home system just to see how
it performs.  I'm not sure which way is more secure.  In the setup with
setuid set, I have changed the group on the bpf devices to be the snort
user's group.  This worries me only because a user in snort's group
would have rw privileges to the bpf devices.  

In the case of the chrooted option, I've found that snort can run just
fine and access the bpf devices in /dev, even though there is no /dev
under the new home directory for snort to run in.  

Does anyone have any recommendations on which way would be more safe to
operate in ?  I've not used chroot too much, but to my knowledge, root
is the only one that can do it.  Please let me know if anyone has any


Scott Renna
Head Systems Administrator
Dynamic Animation Systems


This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list