Bug 452763 - snort should not run as root
Summary: snort should not run as root
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: snort
Version: rawhide
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Dennis Gilmore
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-06-24 21:09 UTC by Steve Grubb
Modified: 2015-07-10 13:46 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-07-10 13:46:13 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Steve Grubb 2008-06-24 21:09:42 UTC 
Description of problem:
Because snort parses malicious network packets, it should not run as root in
case there is a flaw. The uid 62 was allocated in the setup rpm for the snortd
user. The spec file should have a %pre section that adds the user and updates
made to the /etc/sysconfig/snort file.

%pre
getent passwd snortd >/dev/null || \
/usr/sbin/useradd -M -o -r -d / -s /sbin/nologin \
        -c "Snort Daemon" -u 62 snortd > /dev/null 2>&1 || :

and

# What user account should we run under.
USER="snortd"

# What group account should we run under.
GROUP="snortd"

There may need to be some updating of directory permissions too with this patch
in place.

Version-Release number of selected component (if applicable):
2.8.1-3
Comment 1 Steve Grubb 2008-07-02 19:17:46 UTC 
Turns out after this change, the prelude plugin cannot access its config data.
The plugin should be started before dropping privs. I'll work out a patch that
ensures this.
Comment 2 John Poelstra 2008-10-11 03:55:44 UTC 
This bug has been triaged
Comment 3 Dennis Gilmore 2015-07-10 13:46:13 UTC 
snort was removed from fedora years ago
Note You need to log in before you can comment on or make changes to this bug.