Snort mailing list archives

Bug Roundup--Chroot Broken?

From: Erek Adams <erek () theadamsfamily net>
Date: Fri, 6 Jul 2001 16:45:21 -0700 (PDT)


chrooting seems a bit muddled.

/local/home/snort is where I'm chroot'ing it at.  Since that's going to become
the root, I've added dev, etc, var, usr, usr/local, local/home/snort and so on
into it.  Snort starts, runs, logs, does it all....  Until I send it a SIGHUP.
At that point, it would bail with the following:

Received SIGHUP. Restarting
        --== Initializing Snort ==--

[!] ERROR: Can not get write access to logging directory
/local/home/snort//var/log/snort.
(directory doesn't exist or permissions are set incorrectly
or it is not a directory at all)

But it does exist as /var/log/snort and
/local/home/var/log/snort.  So on a bit of a whim, I created
/local/home/snort/local/home/snort/var/log/snort.  Now it dies with:

Rule application order changed to Pass->Alert->Log

Initializing Network Interface le0
ERROR: OpenPcap() device le0 open:
        /dev/le0: No such file or directory
Fatal Error, Quitting..


Now, I'm guessing here--But is snort recursively chroot'ing itself?  Or am I
not getting how chroot'ing should work?

Is anyone using snort as a chroot'ed user?  Or am I the only one who's this
nutty?

Some facts:
  Solaris 2.7 fully patched.
  gcc version 2.95.2 19991024 (release)
  user:  snort
  group:  snort

Started with:
/usr/local/bin/snort -o -c /local/home/snort/snort.conf -t /local/home/snort
-u snort -g snort -h 206.xxx.xx.x/24 -y

truss output:
[...snip...]

open("/usr/share/lib/zoneinfo/US/Pacific", O_RDONLY) = 3
read(3, "\0\0\0\0\0\0\0\0\0\0\0\0".., 8192)     = 1000
close(3)                                        = 0
ioctl(1, TCGETA, 0xEFFFEC7C)                    = 0
write(1, "\n                 - - =".., 38)      = 38
stat("/local/home/snort//var/log/snort", 0xEFFFFAA0) Err#2 ENOENT
write(2, "\n [ ! ]   E R R O R :  ".., 58)      = 58
write(2, " / l o c a l / h o m e /".., 32)      = 32
write(2, " .\n ( d i r e c t o r y".., 96)      = 96
write(2, " F a t a l   E r r o r ,".., 24)      = 24
llseek(0, 0, SEEK_CUR)                          = 25185
_exit(1)


-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Bug Roundup--Chroot Broken? Erek Adams (Jul 06)
- Re: Bug Roundup--Chroot Broken? Chris Green (Jul 06)
  - Re: Bug Roundup--Chroot Broken? Erek Adams (Jul 07)