I've updated the snort package. The package is now working well, but I
have a question:
I am creating a snort user and group during the package installation.
Should we reserve a UID / GID to it? I think this is important because
snort should run with fewer privileges since it can monitor the
network, integrate itself with iptables and so on.
-- Hugo
07-17-2008, 01:27 PM
RedShift
Snort UID / GID
Hugo Doria wrote:
I've updated the snort package. The package is now working well, but I
have a question:
I am creating a snort user and group during the package installation.
Should we reserve a UID / GID to it? I think this is important because
snort should run with fewer privileges since it can monitor the
network, integrate itself with iptables and so on.
-- Hugo
Why can't the users themselves create a snort uid/gid...
07-17-2008, 01:55 PM
"Hugo Doria"
Snort UID / GID
On Thu, Jul 17, 2008 at 10:27 AM, RedShift <redshift@pandora.be> wrote:
> Why can't the users themselves create a snort uid/gid...
As the snort itself will run with the snort user/group is better
create them during the installation.
-- Hugo
07-17-2008, 03:09 PM
RedShift
Snort UID / GID
Hugo Doria wrote:
On Thu, Jul 17, 2008 at 10:27 AM, RedShift <redshift@pandora.be> wrote:
Why can't the users themselves create a snort uid/gid...
As the snort itself will run with the snort user/group is better
create them during the installation.
-- Hugo
Why is it better to create them during installation?
Glenn
07-17-2008, 03:40 PM
"Hugo Doria"
Snort UID / GID
Thus this way snort can work out of the box with less privileges.
Anyone who wants can put snort to run with another user.
And, in any case, this email was just a question.
-- Hugo
07-17-2008, 03:46 PM
"Aaron Griffin"
Snort UID / GID
On Thu, Jul 17, 2008 at 10:40 AM, Hugo Doria <hugodoria@gmail.com> wrote:
> Thus this way snort can work out of the box with less privileges.
> Anyone who wants can put snort to run with another user.
>
> And, in any case, this email was just a question.
I don't see why people have such an issue with creating UIDs/GIDs out
of the box. I don't have a problem with it, as long as we don't do it
on every flippin package under the sun. Is it possible to use 'nobody'
for snort, or is there a security risk there too?
07-17-2008, 06:13 PM
"Hugo Doria"
Snort UID / GID
The problem of using the user "nobody" is that if it is used for
various services, and one of these is compromised it can also affect
snort.
IMHO, we have two options:
1) Create a "snort" user/group and provide a package with fewer
privileges by default (users can change that if they want)
2) Run snort as "nobody" and put a message in snort.install showing
how to change the user/group that snort runs.
I think the first option is better.
-- Hugo
07-17-2008, 07:14 PM
Luke S Crawford
Snort UID / GID
"Hugo Doria" <hugodoria@gmail.com> writes:
> IMHO, we have two options:
>
> 1) Create a "snort" user/group and provide a package with fewer
> privileges by default (users can change that if they want)
> 2) Run snort as "nobody" and put a message in snort.install showing
> how to change the user/group that snort runs.
>
> I think the first option is better.
I agree.
Personally, I try to create a new user (and sometimes a chroot) for every
publicly facing service that can be run as non-root.
I think it would be awesome if more packages did this for me. I don't
see the downside to having lots of users, supposing the mapping is clear.
07-18-2008, 03:47 AM
"Armando M. Baratti"
Snort UID / GID
Aaron Griffin wrote:
On Thu, Jul 17, 2008 at 10:40 AM, Hugo Doria <hugodoria@gmail.com> wrote:
Thus this way snort can work out of the box with less privileges.
Anyone who wants can put snort to run with another user.
And, in any case, this email was just a question.
I don't see why people have such an issue with creating UIDs/GIDs out
of the box. I don't have a problem with it, as long as we don't do it
on every flippin package under the sun. Is it possible to use 'nobody'
for snort, or is there a security risk there too?
Have I heard someone saying "sensible defaults" ?
Armando
07-18-2008, 08:46 AM
RedShift
Snort UID / GID
Aaron Griffin wrote:
On Thu, Jul 17, 2008 at 10:40 AM, Hugo Doria <hugodoria@gmail.com> wrote:
Thus this way snort can work out of the box with less privileges.
Anyone who wants can put snort to run with another user.
And, in any case, this email was just a question.
I don't see why people have such an issue with creating UIDs/GIDs out
of the box. I don't have a problem with it, as long as we don't do it
on every flippin package under the sun. Is it possible to use 'nobody'
for snort, or is there a security risk there too?
What if I want to run snort under for example "security_user". Now I have a cluttered passwd file due to the post-install script. And if I manually remove the snort user, the pre-remove will probably error out too.
Snort UID / GID
