[Snort-users] chroot vs.setuid
mkettler at ...4108...
Wed Jul 9 11:32:02 EDT 2003
At 01:06 PM 7/8/2003 -0400, Scott Renna wrote:
>I was wondering from all of you out there if anyone knows if it is
>"better"(more secure) to run Snort as root and use the -t swtich for
>setting up the jail? Or if it is better to setuid on the binary file
>snort and then drop privileges upon execution?
If you can only do one or the other, I'd advise setuid, since chrooting
while still running as the root user is not likely to add security.
A root user can nearly always break out of a chroot jail, unless your OS
kernel has added provisions to prevent such breakouts. (standard Linux does
NOT have such provisions, because they break compatibility rules, OpenBSD
might have them)
So really the "right" way is to do both.. chroot to a jail _and_ setuid to
a non-root user.
This has 0 performance impact, and adds a great deal of security against
exploitation of the snort process itself. The only headache is creating the
chroot jail to chroot into.
I would advise modifying your syslogd to create an auxiliary dev/log within
the chroot. This way you can get any syslog output from the startup of
snort if it bombs. If you use classic syslogd, just add a -a
/xxx/xxx/dev/log to your syslogd startup.
You might also want to mknod a dev/null within your chroot jail.
> This worries me only because a user in snort's group
>would have rw privileges to the bpf devices.
I did not have to modify the permissions on my /dev/bpf files to run
chroot/setuid. Mine are only in the real /dev and only rw to root.
crw------- 1 root wheel 23, 0 Dec 12 2000 /dev/bpf0.
However you could create a "snort" group that isn't assigned to any users,
and setgid to that, then it's a moot point, as there are no users in the
"snort" group. This is considerably more secure than snort running as root,
since an exploit of setuid/setgid snort (ie: the stream4 vulnerability)
will only give them access to the BPF devices, instead of full root access.
Here's my startup command line I use for snort:
/xxx/xxx/sbin/snort -k none -c /xxx/xxx/etc/snort.conf -t /xxx/xxx -l
/xxx/xxx/var/log/snort -u yyy -g zzz -i nnn -D
Note that I've obviously changed the directory to /xxx, the username to
yyy, the group to zzz and the interface to nnn for security reasons.
More information about the Snort-users