[Bro-Dev] Running Bro non-SUID on Linux

Robin Sommer robin at icir.org
Thu Jan 20 08:50:23 PST 2011

A number of things here:

On Wed, Jan 19, 2011 at 14:31 -0800, you wrote:

> I've been helping someone install Bro on Linux, and we don't want to
> go the SUID route, and thought that by using setcap to set cap_net_raw
> on the binary, it would work, but Bro startup copies the binary to a
> temp directory, which loses all privileges

Yeah, this copying has bitten people in the past. The reason for
that is NFS, where running the original binary may cause trouble.
Still, we might want to get rid of this, or make it optional, or
keep it just to the NFS mode.

Independent of that, is there a way to copy an executable while
keeping its capabilities?

> One thing I thought of was to write a custom SUID root program whose
> only function is to set the capabilities on the binary in the temp
> directory (hard coded into the SUID program, for securities sake), and
> run it just after the copy.....

Would work I guess, though we don't have a hook in broctl right now
to trigger that so need'd to hack the script.

On Thu, Jan 20, 2011 at 07:41 -0500, you wrote:

> I think that Justin has a patch for Bro that drops privileges after
> starting up.

Yeah, that has been on my list for a while, we should definitly
integrate it.


Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org

More information about the bro-dev mailing list