Argus fails to start with ARGUS_INTERFACE=ind:all

Carter Bullard carter at qosient.com
Mon May 23 12:11:06 EDT 2011 

Argus can't open devices it doesn't have permission to open.  You can't open
the networking interfaces of a Linux machines without root privileges.
So you either have to run as root, or you have to change the permissions on the
interfaces, so they can be opened.  Changing the permissions is not a good idea.

Argus can be installed "setuid", so that it runs as root, regardless of who calls it, 
but that is not a good idea either, as there are lots of issues with setuid programs.

The best solution is to run argus as root.

Carter

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax

On May 23, 2011, at 11:55 AM, Harry Hoffman wrote:

> Hi Carter,
> 
> So, I did a little bit more troubleshooting and it appears to be a problem
> with setting the uid/gid for dropping privs.
> 
> If argus runs as root all is ok (both with and without your patch below).
> But if I create a user and group called argus (and set perms on the
> directory properly) then argus won't start.
> 
> Also, argusbug is in both argus and argus-clients. This causes install
> conflicts with rpm/yum. Think one of them can be renamed so that argus and
> argus-clients can be installed on the same box without requiring a --force
> to rpm install?
> 
> Cheers,
> Harry
> 
> 
> 
> -----Original Message-----
> From: Carter Bullard [mailto:carter at qosient.com] 
> Sent: Monday, May 23, 2011 10:38 AM
> To: Harry Hoffman
> Cc: argus-info at lists.andrew.cmu.edu
> Subject: Re: [ARGUS] Argus fails to start with ARGUS_INTERFACE=ind:all
> 
> Hey Harry,
> We don't use socket(PF_INET,SOCK_PACKET) in argus, so not sure where this
> problem may be.
> Now that I'm looking at the code, we use AF_INET for a socket call, which
> most OS's don't mind, but
> if centos is persnickety, try this patch:
> 
> thoth:argus carter$ p4 diff ...
> ==== //depot/argus/argus/argus/ArgusSource.c#86 -
> /Users/carter/argus/argus/argus/ArgusSource.c ====
> 3666c3666
> <       if ((ArgusGetInterfaceFD = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
> ---
>>      if ((ArgusGetInterfaceFD = socket(PF_INET, SOCK_DGRAM, 0)) < 0)
> 
> To see if that doesn't help.  If not, we'll have to find out what call we're
> in when the error is generated
> to figure out if it's argus() or possibly,  libpcap().
> 
> Carter
> 
> 
> On May 23, 2011, at 10:19 AM, Harry Hoffman wrote:
> 
>> Hi,
>> 
>> I've downloaded the latest argus (3.0.5.3) and I'm trying to run with:
>> ARGUS_INTERFACE=ind:all
>> 
>> And I'm getting the following error messages:
>> May 23 10:02:20 usher argus[25730]: 23 May 11 10:02:20.195237 started
>> May 23 10:02:20 usher argus[25730]: 23 May 11 10:02:20.214626 started
>> May 23 10:02:20 usher kernel: argus uses obsolete (PF_INET,SOCK_PACKET)
>> May 23 10:02:20 usher argus[25730]: 23 May 11 10:02:20.229757
>> ArgusOpenInterface: pcap_open_live socket: Operation not permitted
>> May 23 10:02:20 usher argus[25730]: 23 May 11 10:02:20.237115
>> ArgusOpenInterface: pcap_open_live socket: Operation not permitted
>> May 23 10:02:20 usher argus[25730]: 23 May 11 10:02:20.242792
>> ArgusOpenInterface: pcap_open_live socket: Operation not permitted
>> 
>> 
>> If I run with ARGUS_INTERFACE=any then argus starts up right away (and
> seems
>> to use eth0).
>> 
>> I've got the following live interfaces:
>> Eth0 (ethernet)
>> Eth1 (ethernet)
>> Lo (loopback)
>> Sit1 (ipv6-ipv4)
>> 
>> I'm running centos-5.6 x86_64. I'm happy to provide any other information.
>> 
>> Cheers,
>> Harry
>> 
>> 
>> 
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20110523/498e259b/attachment.bin>

More information about the argus mailing list