[Bro-Dev] Running Bro non-SUID on Linux

Jim Mellander jmellander at lbl.gov
Wed Jan 19 14:31:12 PST 2011

Hi gang:

I've been helping someone install Bro on Linux, and we don't want to
go the SUID route, and thought that by using setcap to set cap_net_raw
on the binary, it would work, but Bro startup copies the binary to a
temp directory, which loses all privileges - here's the communication
from the user:

One piece that I'm running into issues with though is the cap-net-raw
stuff and how broctl starts up.  The error I get when attempting to
start is
==== stderr.log
/usr/local/bro/spool/tmp/bro: problem with interface eth4 -
pcap_open_live: socket: Operation not permitted

If I setcap cap_net_raw+ei /usr/local/bro/spool/tmp/bro, it appears to
set things up properly, but they don't stick.  In looking deeper, the
start process in broctl purges that spool/tmp directory then copies
the executable back into that space.  The result is that the setcap is

Has this been addressed somewhere, or do I go digging deeper?


One thing I thought of was to write a custom SUID root program whose
only function is to set the capabilities on the binary in the temp
directory (hard coded into the SUID program, for securities sake), and
run it just after the copy.....

Any ideas, suggestions?

More information about the bro-dev mailing list