[Snort-users] Snort -u not creating logfiles with correct ownership

Matt Kettler mkettler at ...4108...
Fri Sep 16 11:52:03 EDT 2005


Joe S wrote:
> Snort is not creating the snort unified logs with the proper permissions.
> 
> As user root, I run this command to start snort:
> /usr/local/bin/snort -c /etc/snort/snort/conf -i bridge0 -l
> /nsm/hostname -u snort -g snort -D
> 
> 'ps -aux | grep snort' shows that snort is running as snort
> 
> Actual permissions of log/alert files:
> -rw-------  1 root   snort   24104711 Sep 12 23:22 snort.log.1126558421
> -rw-------  1 root   snort     471677 Sep 15 12:08 snort.log.1126810692
> -rw-------  1 root   snort         24 Sep 15 12:08 snort.log.1126811331
> -rw-------  1 root   snort    3572500 Sep 15 13:15 snort.log.1126811364
> -rw-------  1 root   snort         24 Sep 15 13:15 snort.log.1126815344
> -rw-------  1 root   snort   27977829 Sep 16 08:26 snort.log.1126815408
> 
> The logging directory is owned by snort.
> 
> What am I missing here?

Looks like snort is creating the log files after it does setgid, but before it
does setuid.

This makes sense, as it still needs to be root when it opens the pcap library.
Because of this snort is likely to delay revoking it's privileges with setuid
till late in the startup process.






More information about the Snort-users mailing list