[Bro-Dev] Running Bro non-SUID on Linux

Jim Mellander jmellander at lbl.gov
Thu Jan 20 09:15:39 PST 2011

On Thu, Jan 20, 2011 at 8:50 AM, Robin Sommer <robin at icir.org> wrote:
> A number of things here:
> On Wed, Jan 19, 2011 at 14:31 -0800, you wrote:
>> I've been helping someone install Bro on Linux, and we don't want to
>> go the SUID route, and thought that by using setcap to set cap_net_raw
>> on the binary, it would work, but Bro startup copies the binary to a
>> temp directory, which loses all privileges
> Yeah, this copying has bitten people in the past. The reason for
> that is NFS, where running the original binary may cause trouble.
> Still, we might want to get rid of this, or make it optional, or
> keep it just to the NFS mode.

I think modifying the script to make the copy an optional feature
would be reasonable.

> Independent of that, is there a way to copy an executable while
> keeping its capabilities?
>> One thing I thought of was to write a custom SUID root program whose
>> only function is to set the capabilities on the binary in the temp
>> directory (hard coded into the SUID program, for securities sake), and
>> run it just after the copy.....
> Would work I guess, though we don't have a hook in broctl right now
> to trigger that so need'd to hack the script.
> On Thu, Jan 20, 2011 at 07:41 -0500, you wrote:
>> I think that Justin has a patch for Bro that drops privileges after
>> starting up.
> Yeah, that has been on my list for a while, we should definitly
> integrate it.
> Robin

Well, I believe that copying an SUID-root as non-root will cause SUID
to be dropped, so the copy still is a limiting factor.  Interested in
seeing the drop privilege code too, tho'

Thanks to all!!!!

More information about the bro-dev mailing list