problem writing in /var/run on FreeBSD 10.x on Snort startup...

[Bill Parker <wp02855 () gmail com>]

Snort startup:

Here is the line which does not work on snort startup:

root@plugh:/usr/local/bin # ./snort -D -i em0 -c /etc/snort/snort.conf -u
snort -g snort -l /var/log/snort

Aug 30 08:56:36 plugh kernel: em0: promiscuous mode enabled
Aug 30 08:56:36 plugh snort[3912]: Chroot directory =
/var/log/snort/20150830
Aug 30 08:56:36 plugh snort[3912]: Set gid to 30000
Aug 30 08:56:36 plugh snort[3912]: Set uid to 30000
Aug 30 08:56:36 plugh snort[3912]: Checking PID path...
Aug 30 08:56:36 plugh snort[3912]: WARNING: _PATH_VARRUN is invalid, trying
/var/log/ ...
Aug 30 08:56:36 plugh snort[3912]: WARNING: /var/log/ is invalid, logging
Snort PID path to log directory (/).
Aug 30 08:56:36 plugh snort[3912]: Writing PID "3912" to file
"///snort_em0ids.pid"
Aug 30 08:56:36 plugh snort[3912]:
Aug 30 08:56:36 plugh snort[3912]:         --== Initialization Complete ==--

using -u snort and -g snort in the startup line causes the above error,
probably due to permissions problems, if the -u and -g are omitted,
the '/var/run/snort*.pid' file is created normally while running as
root:

Here is a line without the -u and -g parameters invoked:

root@plugh:/usr/local/bin # ./snort -D -i em0 -c /etc/snort/snort.conf -l
/var/log/snort

Aug 30 09:09:44 plugh snort[3973]: pcap DAQ configured to passive.
Aug 30 09:09:44 plugh snort[3973]: Acquiring network traffic from "em0".
Aug 30 09:09:44 plugh snort[3973]: Initializing daemon mode
Aug 30 09:09:44 plugh snort[3974]: Daemon initialized, signaled parent pid:
3973
Aug 30 09:09:44 plugh snort[3974]: Reload thread starting...
Aug 30 09:09:44 plugh snort[3974]: Reload thread started, thread
0x8150e6800 (3974)
Aug 30 09:09:44 plugh snort[3974]: Decoding Ethernet
Aug 30 09:09:44 plugh snort[3974]: Checking PID path...
Aug 30 09:09:44 plugh snort[3974]: PID path stat checked out ok, PID path
set to /var/run/
Aug 30 09:09:44 plugh snort[3974]: Writing PID "3974" to file
"/var/run//snort_em0.pid"
Aug 30 09:09:44 plugh snort[3974]:
Aug 30 09:09:44 plugh snort[3974]:         --== Initialization Complete ==--

Here is the same setup on FreeBSD 8.4:

Aug 30 17:54:47 moocow kernel: em0: promiscuous mode enabled
Aug 30 17:54:47 moocow snort[687]: Checking PID path...
Aug 30 17:54:47 moocow snort[687]: PID path stat checked out ok, PID path
set to /var/run/
Aug 30 17:54:47 moocow snort[687]: Writing PID "687" to file
"/var/run//snort_em0_ids.pid"
Aug 30 17:54:47 moocow snort[687]: Chroot directory =
/var/log/snort/20150830
Aug 30 17:54:47 moocow snort[687]: Set gid to 40000
Aug 30 17:54:47 moocow snort[687]: Set uid to 40000

As you can see, the gid and uid values are set after the PID path stat is
checked for write status, which appears NOT to be the case in FreeBSD 9.x
and 10.x, but the version I am using on FreeBSD 8.4 is 2.9.7.0, did anything
change in utils.c from 2.9.7.0 to 2.9.7.5 (though the PID should be written
before snort is forked as an independent daemon running under -u and -g...

Any ideas here folks?

Bill

------------------------------------------------------------------------------

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!