Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: chroot vs.setuid

From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 09 Jul 2003 14:28:22 -0400
At 01:06 PM 7/8/2003 -0400, Scott Renna wrote:

I was wondering from all of you out there if anyone knows if it is
"better"(more secure) to run Snort as root and use the -t swtich for
setting up the jail?  Or if it is better to setuid on the binary file
snort and then drop privileges upon execution?
If you can only do one or the other, I'd advise setuid, since chrooting while still running as the root user is not likely to add security.
A root user can nearly always break out of a chroot jail, unless your OS kernel has added provisions to prevent such breakouts. (standard Linux does NOT have such provisions, because they break compatibility rules, OpenBSD might have them)
So really the "right" way is to do both.. chroot to a jail _and_ setuid to a non-root user.
This has 0 performance impact, and adds a great deal of security against exploitation of the snort process itself. The only headache is creating the chroot jail to chroot into.
I would advise modifying your syslogd to create an auxiliary dev/log within the chroot. This way you can get any syslog output from the startup of snort if it bombs. If you use classic syslogd, just add a -a /xxx/xxx/dev/log to your syslogd startup. 

You might also want to mknod a dev/null within your chroot jail.



 This worries me only because a user in snort's group
would have rw privileges to the bpf devices.
I did not have to modify the permissions on my /dev/bpf files to run chroot/setuid. Mine are only in the real /dev and only rw to root. 
crw-------  1 root  wheel   23,   0 Dec 12  2000 /dev/bpf0.
However you could create a "snort" group that isn't assigned to any users, and setgid to that, then it's a moot point, as there are no users in the "snort" group. This is considerably more secure than snort running as root, since an exploit of setuid/setgid snort (ie: the stream4 vulnerability) will only give them access to the BPF devices, instead of full root access. 

Here's my startup command line I use for snort:
/xxx/xxx/sbin/snort -k none -c /xxx/xxx/etc/snort.conf -t /xxx/xxx -l /xxx/xxx/var/log/snort -u yyy -g zzz -i nnn -D
Note that I've obviously changed the directory to /xxx, the username to yyy, the group to zzz and the interface to nnn for security reasons. 


-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: