[Snort-users] Log file owned by root problem

Matt Kettler mkettler at ...4108...
Thu May 6 12:18:05 EDT 2004

At 01:53 PM 5/6/2004, bitless at ...1364... wrote:
>My startup line is as follows,
>snort -c /etc/snort/snort_eth0/snort.conf -i eth0 -u snort -g
>Shouldn't this output a log file with uid/gid snort/snort.

No.. AFAIK snort opens the logs before doing a setuid.

The -u and -g parameters are basically intended to improve security by 
revoking root privileges after snort has opened all privileged IO (pcap, 
logs, etc). Thus, anyone exploiting snort no longer gets root privileges 
right away (although they do have access to the pcap session snort has open 
if they are talented enough), instead they get "snort" or "nobody" 
privileges when trying to open new files, etc.

More information about the Snort-users mailing list