[Bro] how to run as non-root user?

Roger Winslow rwinslow at lbl.gov
Fri Jul 15 13:48:32 PDT 2005 

The issue you are seeing is related to how Linux does packet capture.  In short
Linux must have root privilages to capture packets.  Sorry, but without using
some of the custom kernel patches out there you must run Bro as a user that has
root privs.  If you want more info search for linux packet capture.

As for bro.rc it was written for 'sh' and is compatible with 'bash'.  That's why
the bang path is #!/bin/sh.  bro.rc was written to work on the widest number of
systems possible and sh/bash are available everywhere.

I produced a simple shell script to simulate what you are referring to but was
unable to reproduce the error.  brouser has a shell of /bin/tcsh and root has a
shell of /bin/tcsh

#!/bin/sh

if [ "$1" = '1' ]; then
        echo DONE
        exit 0
fi

su -l brouser -c "$0 1 < /dev/null"

If you can find more info on the error I will look into it further.

         Roger


Jingmin Zhou wrote:

> Hi,
> 
> I am a new user of bro, and have recently install bro 0.9a9 on a Linux
> box. I have a question with bro:
> 
> I want to run bro as non-root user, and have created an account for
> bro. However, when I try to start bro with bro.rc, it reports "problem
> with interface eth0 - pcap_open_live: socket: Operation not
> permitted". Does it mean that I need to setuid bro binary? If so, does
> bro drops privilege after pcap_open? (A quick grep shows that bro does
> not call setuid()).
> 
> BTW, there is a small issue with bro.rc. It calls bro with "su -l
> ${alternate_user_id}...". On my system, the shell of root account is
> tcsh. Then when I run bro.rc from an interactive root shell, it
> prompts the error as follows:
> 
>    Unknown option: `-l'
>    Usage: tcsh [ -bcdefilmnqstvVxX ] [ argument ... ].
> 
> To fix it, either I need to change root shell to bash (which is not
> preferred IMHO), or change bro.rc as "su - ${alternate_user_id}...".
> 
> Thanks!
> 
> Jingmin
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list