FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 07-17-2008, 12:56 PM
"Hugo Doria"
 
Default Snort UID / GID

I've updated the snort package. The package is now working well, but I
have a question:

I am creating a snort user and group during the package installation.
Should we reserve a UID / GID to it? I think this is important because
snort should run with fewer privileges since it can monitor the
network, integrate itself with iptables and so on.

-- Hugo
 
Old 07-17-2008, 01:27 PM
RedShift
 
Default Snort UID / GID

Hugo Doria wrote:

I've updated the snort package. The package is now working well, but I
have a question:

I am creating a snort user and group during the package installation.
Should we reserve a UID / GID to it? I think this is important because
snort should run with fewer privileges since it can monitor the
network, integrate itself with iptables and so on.

-- Hugo





Why can't the users themselves create a snort uid/gid...
 
Old 07-17-2008, 01:55 PM
"Hugo Doria"
 
Default Snort UID / GID

On Thu, Jul 17, 2008 at 10:27 AM, RedShift <redshift@pandora.be> wrote:
> Why can't the users themselves create a snort uid/gid...

As the snort itself will run with the snort user/group is better
create them during the installation.

-- Hugo
 
Old 07-17-2008, 03:09 PM
RedShift
 
Default Snort UID / GID

Hugo Doria wrote:

On Thu, Jul 17, 2008 at 10:27 AM, RedShift <redshift@pandora.be> wrote:

Why can't the users themselves create a snort uid/gid...


As the snort itself will run with the snort user/group is better
create them during the installation.

-- Hugo





Why is it better to create them during installation?

Glenn
 
Old 07-17-2008, 03:40 PM
"Hugo Doria"
 
Default Snort UID / GID

Thus this way snort can work out of the box with less privileges.
Anyone who wants can put snort to run with another user.

And, in any case, this email was just a question.

-- Hugo
 
Old 07-17-2008, 03:46 PM
"Aaron Griffin"
 
Default Snort UID / GID

On Thu, Jul 17, 2008 at 10:40 AM, Hugo Doria <hugodoria@gmail.com> wrote:
> Thus this way snort can work out of the box with less privileges.
> Anyone who wants can put snort to run with another user.
>
> And, in any case, this email was just a question.

I don't see why people have such an issue with creating UIDs/GIDs out
of the box. I don't have a problem with it, as long as we don't do it
on every flippin package under the sun. Is it possible to use 'nobody'
for snort, or is there a security risk there too?
 
Old 07-17-2008, 06:13 PM
"Hugo Doria"
 
Default Snort UID / GID

The problem of using the user "nobody" is that if it is used for
various services, and one of these is compromised it can also affect
snort.

IMHO, we have two options:

1) Create a "snort" user/group and provide a package with fewer
privileges by default (users can change that if they want)
2) Run snort as "nobody" and put a message in snort.install showing
how to change the user/group that snort runs.

I think the first option is better.

-- Hugo
 
Old 07-17-2008, 07:14 PM
Luke S Crawford
 
Default Snort UID / GID

"Hugo Doria" <hugodoria@gmail.com> writes:
> IMHO, we have two options:
>
> 1) Create a "snort" user/group and provide a package with fewer
> privileges by default (users can change that if they want)
> 2) Run snort as "nobody" and put a message in snort.install showing
> how to change the user/group that snort runs.
>
> I think the first option is better.

I agree.

Personally, I try to create a new user (and sometimes a chroot) for every
publicly facing service that can be run as non-root.

I think it would be awesome if more packages did this for me. I don't
see the downside to having lots of users, supposing the mapping is clear.
 
Old 07-18-2008, 03:47 AM
"Armando M. Baratti"
 
Default Snort UID / GID

Aaron Griffin wrote:

On Thu, Jul 17, 2008 at 10:40 AM, Hugo Doria <hugodoria@gmail.com> wrote:

Thus this way snort can work out of the box with less privileges.
Anyone who wants can put snort to run with another user.

And, in any case, this email was just a question.


I don't see why people have such an issue with creating UIDs/GIDs out
of the box. I don't have a problem with it, as long as we don't do it
on every flippin package under the sun. Is it possible to use 'nobody'
for snort, or is there a security risk there too?



Have I heard someone saying "sensible defaults" ?


Armando
 
Old 07-18-2008, 08:46 AM
RedShift
 
Default Snort UID / GID

Aaron Griffin wrote:

On Thu, Jul 17, 2008 at 10:40 AM, Hugo Doria <hugodoria@gmail.com> wrote:

Thus this way snort can work out of the box with less privileges.
Anyone who wants can put snort to run with another user.

And, in any case, this email was just a question.


I don't see why people have such an issue with creating UIDs/GIDs out
of the box. I don't have a problem with it, as long as we don't do it
on every flippin package under the sun. Is it possible to use 'nobody'
for snort, or is there a security risk there too?





What if I want to run snort under for example "security_user". Now I have a cluttered passwd file due to the post-install script. And if I manually remove the snort user, the pre-remove will probably error out too.

Glenn
 

Thread Tools




All times are GMT. The time now is 12:44 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org