Description of problem: Because snort parses malicious network packets, it should not run as root in case there is a flaw. The uid 62 was allocated in the setup rpm for the snortd user. The spec file should have a %pre section that adds the user and updates made to the /etc/sysconfig/snort file. %pre getent passwd snortd >/dev/null || \ /usr/sbin/useradd -M -o -r -d / -s /sbin/nologin \ -c "Snort Daemon" -u 62 snortd > /dev/null 2>&1 || : and # What user account should we run under. USER="snortd" # What group account should we run under. GROUP="snortd" There may need to be some updating of directory permissions too with this patch in place. Version-Release number of selected component (if applicable): 2.8.1-3
Turns out after this change, the prelude plugin cannot access its config data. The plugin should be started before dropping privs. I'll work out a patch that ensures this.
This bug has been triaged
snort was removed from fedora years ago