Snort mailing list archives
Re: Snort -u not creating logfiles with correct ownership
From: Matt Kettler <mkettler () evi-inc com>
Date: Fri, 16 Sep 2005 14:50:37 -0400
Joe S wrote:
Snort is not creating the snort unified logs with the proper permissions. As user root, I run this command to start snort: /usr/local/bin/snort -c /etc/snort/snort/conf -i bridge0 -l /nsm/hostname -u snort -g snort -D 'ps -aux | grep snort' shows that snort is running as snort Actual permissions of log/alert files: -rw------- 1 root snort 24104711 Sep 12 23:22 snort.log.1126558421 -rw------- 1 root snort 471677 Sep 15 12:08 snort.log.1126810692 -rw------- 1 root snort 24 Sep 15 12:08 snort.log.1126811331 -rw------- 1 root snort 3572500 Sep 15 13:15 snort.log.1126811364 -rw------- 1 root snort 24 Sep 15 13:15 snort.log.1126815344 -rw------- 1 root snort 27977829 Sep 16 08:26 snort.log.1126815408 The logging directory is owned by snort. What am I missing here?
Looks like snort is creating the log files after it does setgid, but before it does setuid. This makes sense, as it still needs to be root when it opens the pcap library. Because of this snort is likely to delay revoking it's privileges with setuid till late in the startup process. ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort -u not creating logfiles with correct ownership Joe S (Sep 16)
- Re: Snort -u not creating logfiles with correct ownership Matt Kettler (Sep 16)