Re: Snort -u not creating logfiles with correct ownership

[Matt Kettler <mkettler () evi-inc com>]

Joe S wrote:
> Snort is not creating the snort unified logs with the proper permissions.
>
> As user root, I run this command to start snort:
> /usr/local/bin/snort -c /etc/snort/snort/conf -i bridge0 -l
> /nsm/hostname -u snort -g snort -D
>
> 'ps -aux | grep snort' shows that snort is running as snort
>
> Actual permissions of log/alert files:
> -rw-------  1 root   snort   24104711 Sep 12 23:22 snort.log.1126558421
> -rw-------  1 root   snort     471677 Sep 15 12:08 snort.log.1126810692
> -rw-------  1 root   snort         24 Sep 15 12:08 snort.log.1126811331
> -rw-------  1 root   snort    3572500 Sep 15 13:15 snort.log.1126811364
> -rw-------  1 root   snort         24 Sep 15 13:15 snort.log.1126815344
> -rw-------  1 root   snort   27977829 Sep 16 08:26 snort.log.1126815408
>
> The logging directory is owned by snort.
>
> What am I missing here?

Looks like snort is creating the log files after it does setgid, but before it
does setuid.

This makes sense, as it still needs to be root when it opens the pcap library.
Because of this snort is likely to delay revoking it's privileges with setuid
till late in the startup process.




-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users