On 07.09.2016 14:06, Pierre Chifflier wrote: > On 09/07/2016 12:15 PM, Robert Haist wrote: >> Package: suricata >> Version: 3.1.1-4 >> >> It might be a security improvement to let suricata run with non-root >> privileges and a special permission for the provided capture modes. >> Running as root might be a problem if a protocol parser or some other >> input-dependant code is exploitable. >> > > > Hi, > > > Do you mean the following part of the config file: > # Run suricata as user and group. > #run-as: > # user: suri > # group: suri > > This already reduces the risk in case a parser is compromised, but using > such user is not the default configuration (you have to create one and > uncomment these lines). That could be added to the Debian package.
Using this setting the default and creating a suricata user on installation would be a very good start I think. Based on the suricata wiki this might only work for libpcap-mode. But maybe this information is outdated and can be clarified by some OISF Dev. > > > Or, do you mean an additional mechanism to start as user (like file > capabilities) ? > > Technically, file capabilities already work, however the required > capability will depend on the capture method. > > Regards, > Pierre >
