Snort mailing list archives

Re: chroot vs.setuid

From: "Lawrence Reed" <Lawrence.Reed () noaa gov>
Date: Tue, 08 Jul 2003 18:01:37 +0000

Hi Scott,

You can run both non-root and chrooted. I have been doing this forsometime, at least since 2.0beta.


My command line looks like:

snort -o -de -c $CHROOT_TO_DIR/conf/snort.conf -i $INTERFACE -t$CHROOT_TO_DIR \

        -u snortuser -g snortgroup -U -X -y -l $CHROOT_TO_DIR/data -m 017

I run that command as root so snort can set the interface in promisc andchroot() and then setuid()/setgid().



Good luck,

Scott Renna wrote:

Hello Snort Users,

I was wondering from all of you out there if anyone knows if it is
"better"(more secure) to run Snort as root and use the -t swtich for
setting up the jail?  Or if it is better to setuid on the binary file
snort and then drop privileges upon execution?

I am running the chrooted environment on my home system just to see how
it performs.  I'm not sure which way is more secure.  In the setup with
setuid set, I have changed the group on the bpf devices to be the snort
user's group.  This worries me only because a user in snort's group

would have rw privileges to the bpf devices.

In the case of the chrooted option, I've found that snort can run just
fine and access the bpf devices in /dev, even though there is no /dev

under the new home directory for snort to run in.

Does anyone have any recommendations on which way would be more safe to
operate in ?  I've not used chroot too much, but to my knowledge, root
is the only one that can do it.  Please let me know if anyone has any
input.

Scott

***************************
Scott Renna
Head Systems Administrator
Dynamic Animation Systems
703-503-0500

***************************



-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
Larry Reed  Lawrence.Reed () noaa gov
NOAA IT Security Office
PGP Public Key:  http://search.keyserver.net:11371/pks/lookup?op=get&search=0x7A998772




-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

chroot vs.setuid Scott Renna (Jul 08)
- Re: chroot vs.setuid Lawrence Reed (Jul 08)
- Re: chroot vs.setuid Matt Kettler (Jul 09)
- <Possible follow-ups>
- RE: chroot vs.setuid Slighter, Tim (Jul 08)