argus in chroot, privilege seperation/revocation
Andreas Östling
andreaso at it.su.se
Wed Sep 20 08:38:08 EDT 2006
On Wednesday 20 September 2006 13:39, carter at qosient.com wrote:
> OK, so this helps a lot, but I am confused as to the goal. Are we
> trying to prevent argus from creating output files as root, but still
> be able to read its configuration file, open any packet interfaces
> and output sockets with priviledges? Are we chroot'ing only to
> control file creation paths, or to also control from where argus
> reads its data? Are we worried about where argus creates any dump()
> files and who owns these? All of this tends to dictate the order of
> things, of course.
...
Speaking for myself, what I want to achieve is to have the Argus daemon
running in its own chroot directory without root privileges, but
without losing functionality. This is only to make things a little bit
harder for an attacker who happens to find a remotely exploitable bug.
At least the way I run Argus this has worked very well for a couple of
years (with 2.x) simply by dropping the privs permanently after startup
when they're no longer required. Here is an example:
# mkdir /tmp/argus
# chown arguser:arggroup /tmp/argus
# chmod 0700 /tmp/argus
# argus -C /tmp/argus -u arguser -g arggroup -w /foo -d
argus[1954]: started
# ps -u 1954
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
arguser 1954 5.2 1.7 18760 17472 ?? Ss 2:20PM 0:04.08 argus
-C /tmp/argus -u arguser -g arggroup -w /foo -d
# ls -l /tmp/argus/foo
-rw-r--r-- 1 arguser arggroup 13857 Sep 20 14:23 /tmp/argus/foo
I didn't know about the interface reopen stuff. That makes things tricky
as if you drop the privs correctly you wont be able to regain them or
"un-chroot".
/Andreas
More information about the argus
mailing list