Dear James, > I think the best way to achieve this is to actually use capabilities, so > you don't necessarily need root at all, just have CAP_NET_ADMIN.
I don't know much about capabilities, but from what I've read today it seems to be a real pain to change UID without losing them. The only way I can find is to have another process give CAP_NET_ADMIN back to Snort after it sets uid > 0. Without some kind of semaphores or locking, seems it would be hard to know when Snort has finished changing uid and we can give it the capability it needs. The other problem is that I don't want Snort to be able to do all the things CAP_NET_ADMIN allows. Isn't it sufficient to have had the privilege once, when the Netlink socket was opened? > Also, I'd prefer not to make the security so dependent on the kernel-user > state code in ip_queue, which is convoluted and may eventually change or > disappear. I'm sorry, I don't follow you here. Surely the security already depends critically on the kernel-user state code in ip_queue? And if it changes, then of course this Snort patch would have to be modified, but so would everything else which uses libipq. And a change could just as easily break the patch if I modified it to use CAP_NET_ADMIN and then ip_queue no longer trusted NET_ADMIN to give packet verdicts. Thanks for your help, Ciao, Chris. -- ___ __ _ / __// / ,__(_)_ | Chris Wilson -- UNIX Firewall Lead Developer | / (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk | \ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |
