Snort mailing list archives
Re: Run as user?
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 03 Apr 2003 13:59:08 -0500
On a Linux system ethernet interfaces have NO filesystem representative at all. They're entirely abstract and in-kernel, and the only way to access them is via system calls. AFAIK this is also true of *BSD type systems (it is true of my OpenBSD system).
Really, on a Linux box, the only way I know of to give a non-root permissions to do raw ethernet is to either modify the kernel source, or add a module that does it (some of the security patches have capability separation so you can grant raw device IO to a non-root user).
It should also be noted that whatever user you give said permissions to should be treated as root equivalent, since he who can control a network interface at a pcap level can hijack any connection to the machine quite trivially. This doesn't guarantee that someone logged in to this account will be able to elevate to root, but it does create a LOT more options so you should guard that account's password with the same amount of care as your root account.
From a security standpoint you're much better off starting as root, chrooting and setuiding to a non-root user. This way the non-root user doesn't need pcap capabilities, since snort opens that up as root before setuiding. Of course, it sounds like you have other considerations that make you not want to do this as root, but you should be aware of the security issues.
If the problem you have is that you need a non-admin user to start snort, and you don't want to give them the root password, you might look at tools like sudo.
At 07:40 AM 4/3/2003 -0500, Erek Adams wrote:
> well, I'm a proud member of that group. I cannot find how to give that > group perms on the device though. It's not in /dev...or /proc...where > could it be? I'm not sure about a Linux system, but there is an easy way to find out. Use lsof and see what devices is being used by Snort.
-------------------------------------------------------This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Run as user? Joe Hill (Apr 02)
- Re: Run as user? Alberto Gonzalez (Apr 02)
- Re: Run as user? Joe Hill (Apr 02)
- Re: Run as user? Alberto Gonzalez (Apr 02)
- Re: Run as user? Joe Hill (Apr 02)
- Re: Run as user? Erek Adams (Apr 02)
- Re: Run as user? Joe Hill (Apr 02)
- Re: Run as user? Erek Adams (Apr 03)
- Re: Run as user? Matt Kettler (Apr 03)
- Re: Run as user? Joe Hill (Apr 03)
- Re: Run as user? Joe Hill (Apr 02)
- Re: Run as user? Alberto Gonzalez (Apr 02)