[Snort-users] chroot vs.setuid

Matt Kettler mkettler at ...4108...
Wed Jul 9 11:32:02 EDT 2003

At 01:06 PM 7/8/2003 -0400, Scott Renna wrote:
>I was wondering from all of you out there if anyone knows if it is
>"better"(more secure) to run Snort as root and use the -t swtich for
>setting up the jail?  Or if it is better to setuid on the binary file
>snort and then drop privileges upon execution?

If you can only do one or the other, I'd advise setuid, since chrooting 
while still running as the root user is not likely to add security.

A root user can nearly always break out of a chroot jail, unless your OS 
kernel has added provisions to prevent such breakouts. (standard Linux does 
NOT have such provisions, because they break compatibility rules, OpenBSD 
might have them)

So really the "right" way is to do both.. chroot to a jail _and_ setuid to 
a non-root user.

This has 0 performance impact, and adds a great deal of security against 
exploitation of the snort process itself. The only headache is creating the 
chroot jail to chroot into.

I would advise modifying your syslogd to create an auxiliary dev/log within 
the chroot. This way you can get any syslog output from the startup of 
snort if it bombs. If you use classic syslogd, just add a -a 
/xxx/xxx/dev/log to your syslogd startup.

You might also want to mknod a dev/null within your chroot jail.

>  This worries me only because a user in snort's group
>would have rw privileges to the bpf devices.

I did not have to modify the permissions on my /dev/bpf files to run 
chroot/setuid. Mine are only in the real /dev and only rw to root.
crw-------  1 root  wheel   23,   0 Dec 12  2000 /dev/bpf0.

However you could create a "snort" group that isn't assigned to any users, 
and setgid to that, then it's a moot point, as there are no users in the 
"snort" group. This is considerably more secure than snort running as root, 
since an exploit of setuid/setgid snort (ie: the stream4 vulnerability) 
will only give them access to the BPF devices, instead of full root access.

Here's my startup command line I use for snort:

/xxx/xxx/sbin/snort -k none -c /xxx/xxx/etc/snort.conf -t /xxx/xxx -l 
/xxx/xxx/var/log/snort -u yyy -g zzz -i nnn -D

Note that I've obviously changed the directory to /xxx, the username to 
yyy, the group to zzz and the interface to nnn for security reasons. 

More information about the Snort-users mailing list