[Bro] Problems Building Bro

Dominic Steinitz dominic.steinitz at blueyonder.co.uk
Sun Jun 25 07:26:56 PDT 2006

Christian Kreibich wrote:
> On Sat, 2006-06-24 at 17:45 +0100, Dominic Steinitz wrote: 
>>>> 2. "make install" installed everything as root so I'm having to run bro 
>>>> as root.
>>> I don't understand -- who owns the installed files is determined by who
>>> runs make install. I'd normally hope that everything is installed as
>>> root. How does that prevent you from running bro non-root?
>> I quote from the Bro Quick Start Guide:
>> "The Bro-Lite configuration script can be used to automatically 
>> configure Bro for you. It checks your system's BPF settings, creates a 
>> 'bro' user account, installs a script to start bro at boot time, and 
>> installs a number of cron jobs to checkpoint bro every night, run 
>> perioidic reports, and manage log files."
>> and
>> "     User id to install and run Bro under [bro]
>>          bro_config will create a new user account with this username if 
>> the user does not exist."
> Sorry but I don't see what this has to do with your earlier claim of
> having to run Bro as root. You only have to run Bro as root if your
> kernel requires it for the tasks your putting Bro to, packet capture
> being the most likely candidate.

Ok I'm capturing packets and so running Bro as root. I misunderstood the 
documentation (and / or the question in the brolite scripte) which 
seemed to imply that files would be installed as bro / wheel and Bro 
would run as bro.

> Maybe you could tell us what kind of setup you're aiming at. What user
> *do* you want to run Bro under? If you want to run Bro to get a feel for
> policy configuration, you don't even need to make install, not to
> mention touch the Bro-Lite configuration stuff.

See above.

>> I did make install as root and then make install-brolite. Should I not 
>> have done make install but make install-brolite only?
> No, it's okay to run both -- 'make install' installs the Bro executable,
> Broccoli, policy files, etc, while 'make install-brolite' is responsible
> for setting up an install script, configure report styles, etc.
>>> If you want to do packet capture you'll likely be running it as root
>>> anyway, if you want to process traces you don't need root, and if you
>>> want to run a Bro-Bro communications node you can use high ports to
>>> avoid root.
>> Ok but I'm confused in that case. What is the point of creating the user 
>> bro?
> I believe on Linux you're not actually supposed to be presented with
> "bro" as user account but "root" instead since it's more likely to work,

You are right. I was presented with root but I must have mistunderstood 
the documentation.

> though I might be wrong. Try setting the suggested user to root unless
> you know that your Linux kernel provides non-root capability to do
> packet capture.

Done. I've used pcap directly and know I have to be root to run the 

> The point of a different user is simply one of least privilege -- if
> your OS allows you to select capabilities selectively, then you might
> not need root even if you do packet capture. Also there are the issues
> of log maintenance & archival, and you might prefer a user different
> from root for access to those.

This is was why I was worrying. But let's finish off this thread. I'll 
post my remaining questions under a different title.

> Getting all of this set up smoothly has seen more exposure on the BSDs
> than Linux, so sorry for the bumpy ride. Others can comment better than
> I on the state of Bro-Lite and Linux.
> Cheers,
> Christian.


I'd like to say a big thank you to you in particular and Vern and 
everyone else that responded.


More information about the Bro mailing list