Hi gang:
I've been helping someone install Bro on Linux, and we don't want to
go the SUID route, and thought that by using setcap to set cap_net_raw
on the binary, it would work, but Bro startup copies the binary to a
temp directory, which loses all privileges - here's the communication
from the user:
One piece that I'm running into issues with though is the cap-net-raw
stuff and how broctl starts up. The error I get when attempting to
start is
==== stderr.log
/usr/local/bro/spool/tmp/bro: problem with interface eth4
-pcap_open_live: socket: Operation not permitted
If I setcap cap_net_raw+ei /usr/local/bro/spool/tmp/bro, it appears to
set things up properly, but they don't stick. In looking deeper, the
start process in broctl purges that spool/tmp directory then copies
the executable back into that space. The result is that the setcap is
gone.
Has this been addressed somewhere, or do I go digging deeper?