On 2019/06/04 10:21, Sebastian Reitenbach wrote: > Hi, > > I'm experimenting with Suricata, but don't want to let suricata listen on > network interface, as it has to run as root. Suricata has a user/group > options, but they require libcap-ng.
I'm not sure what the libcap-ng is for, but with the standard config in the port, Suricata starts as root and then drops to _suricata after initialising. $ ps axu|grep suric _suricat 90110 3.4 21.9 429924 427220 ?? Ssp 9:32AM 1:07.16 /usr/local/bin/suricata -D -i em1 > Looking around, what we have, I came across dumpcap. > > So, put the _suricata user into the _wireshark group, and: > > rcctl enable dumpcap > rcctl set dumpcap flags ..... > rcctl set dumpcap user _suricata > > dumpcap then happily runs as _suricata, and Suricata picks up and runs > happily as _suricata user as well. > > that let's me feel much more comfortable. > If someone has better ideas, I'm all ears. > > Therefore I added an rcscript to tshark package for dumpcap. > Any concerns, comments, or even OK? I don't like adding this to net/wireshark. It seems odd to add an rc script for something which isn't a daemon (we don't have an rc.d script for tcpdump either), and users will see the "The following new rcscripts were installed: /etc/rc.d/dumpcap" and might think they need to use it.