I've been helping someone install Bro on Linux, and we don't want to
go the SUID route, and thought that by using setcap to set cap_net_raw
on the binary, it would work, but Bro startup copies the binary to a
temp directory, which loses all privileges - here's the communication
from the user:
One piece that I'm running into issues with though is the cap-net-raw
stuff and how broctl starts up. The error I get when attempting to
start is
==== stderr.log
/usr/local/bro/spool/tmp/bro: problem with interface eth4 -
pcap_open_live: socket: Operation not permitted
If I setcap cap_net_raw+ei /usr/local/bro/spool/tmp/bro, it appears to
set things up properly, but they don't stick. In looking deeper, the
start process in broctl purges that spool/tmp directory then copies
the executable back into that space. The result is that the setcap is
gone.
Has this been addressed somewhere, or do I go digging deeper?
I think that Justin has a patch for Bro that drops privileges after starting up. It's possible that we could just integrate that patch since it was a very small change, only something around 5 lines if I remember correctly. The addition to BroControl should be really small and easy too.
Justin, could you file a tracker ticket if you still have that patch floating around somewhere?
I've been helping someone install Bro on Linux, and we don't want to
go the SUID route, and thought that by using setcap to set cap_net_raw
on the binary, it would work, but Bro startup copies the binary to a
temp directory, which loses all privileges
Yeah, this copying has bitten people in the past. The reason for
that is NFS, where running the original binary may cause trouble.
Still, we might want to get rid of this, or make it optional, or
keep it just to the NFS mode.
Independent of that, is there a way to copy an executable while
keeping its capabilities?
One thing I thought of was to write a custom SUID root program whose
only function is to set the capabilities on the binary in the temp
directory (hard coded into the SUID program, for securities sake), and
run it just after the copy.....
Would work I guess, though we don't have a hook in broctl right now
to trigger that so need'd to hack the script.
I've been helping someone install Bro on Linux, and we don't want to
go the SUID route, and thought that by using setcap to set cap_net_raw
on the binary, it would work, but Bro startup copies the binary to a
temp directory, which loses all privileges
Yeah, this copying has bitten people in the past. The reason for
that is NFS, where running the original binary may cause trouble.
Still, we might want to get rid of this, or make it optional, or
keep it just to the NFS mode.
I think modifying the script to make the copy an optional feature
would be reasonable.
Independent of that, is there a way to copy an executable while
keeping its capabilities?
One thing I thought of was to write a custom SUID root program whose
only function is to set the capabilities on the binary in the temp
directory (hard coded into the SUID program, for securities sake), and
run it just after the copy.....
Would work I guess, though we don't have a hook in broctl right now
to trigger that so need'd to hack the script.
I think that Justin has a patch for Bro that drops privileges after
starting up.
Yeah, that has been on my list for a while, we should definitly
integrate it.
Robin
Well, I believe that copying an SUID-root as non-root will cause SUID
to be dropped, so the copy still is a limiting factor. Interested in
seeing the drop privilege code too, tho'