[Snort-users] Log file owned by root problem
mkettler at ...4108...
Thu May 6 12:18:05 EDT 2004
At 01:53 PM 5/6/2004, bitless at ...1364... wrote:
>My startup line is as follows,
>snort -c /etc/snort/snort_eth0/snort.conf -i eth0 -u snort -g
>Shouldn't this output a log file with uid/gid snort/snort.
No.. AFAIK snort opens the logs before doing a setuid.
The -u and -g parameters are basically intended to improve security by
revoking root privileges after snort has opened all privileged IO (pcap,
logs, etc). Thus, anyone exploiting snort no longer gets root privileges
right away (although they do have access to the pcap session snort has open
if they are talented enough), instead they get "snort" or "nobody"
privileges when trying to open new files, etc.
More information about the Snort-users