argus in chroot, privilege seperation/revocation
Peter Van Epp
vanepp at sfu.ca
Wed Sep 20 11:32:14 EDT 2006
<snip>
>
> There is a notion of defered opens for interfaces that have gone down! I suppose if I have to retry opening the interface, I'll have to "un-chroot" so that I open the real /dev/whatever0 ? That doesn't sound quite right!!
>
One way this can be dealt with is a small simple setuid program that
does nothing but open the interface (for safety the interface likely wants to
be hard coded though, a parameter would probably be dangerous :-)). Then the
rest of argus can run as non root and create files as non root since I believe
the only thing that needs root priveledges should be opening the libpcap
socket? An alternative would be to permit the bpf interfaces to the argus
user to avoid having to be root at all.
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
More information about the argus
mailing list