[Bro-Dev] Running Bro non-SUID on Linux

Seth Hall seth at icir.org
Thu Jan 20 04:41:38 PST 2011

On Jan 19, 2011, at 5:31 PM, Jim Mellander wrote:

> I've been helping someone install Bro on Linux, and we don't want to
> go the SUID route, and thought that by using setcap to set cap_net_raw
> on the binary, it would work, but Bro startup copies the binary to a
> temp directory, which loses all privileges - here's the communication
> from the user:

I think that Justin has a patch for Bro that drops privileges after starting up.  It's possible that we could just integrate that patch since it was a very small change, only something around 5 lines if I remember correctly.  The addition to BroControl should be really small and easy too.

Justin, could you file a tracker ticket if you still have that patch floating around somewhere?


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the bro-dev mailing list