Snort mailing list archives
Re: Log file owned by root problem
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 06 May 2004 15:17:10 -0400
At 01:53 PM 5/6/2004, bitless () rcn com wrote:
My startup line is as follows, snort -c /etc/snort/snort_eth0/snort.conf -i eth0 -u snort -g snort Shouldn't this output a log file with uid/gid snort/snort.
No.. AFAIK snort opens the logs before doing a setuid.The -u and -g parameters are basically intended to improve security by revoking root privileges after snort has opened all privileged IO (pcap, logs, etc). Thus, anyone exploiting snort no longer gets root privileges right away (although they do have access to the pcap session snort has open if they are talented enough), instead they get "snort" or "nobody" privileges when trying to open new files, etc.
------------------------------------------------------- This SF.Net email is sponsored by Sleepycat SoftwareLearn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Log file owned by root problem bitless (May 06)
- Re: Log file owned by root problem sgt_b (May 06)
- Re: Log file owned by root problem Matt Kettler (May 06)
- Re: Log file owned by root problem Bamm Visscher (May 06)
- <Possible follow-ups>
- Log file owned by root problem bitless (May 10)
- RE: Log file owned by root problem SRH-Lists (May 10)