On 09/07/2016 12:15 PM, Robert Haist wrote: > Package: suricata > Version: 3.1.1-4 > > It might be a security improvement to let suricata run with non-root > privileges and a special permission for the provided capture modes. > Running as root might be a problem if a protocol parser or some other > input-dependant code is exploitable. >
Hi, Do you mean the following part of the config file: # Run suricata as user and group. #run-as: # user: suri # group: suri This already reduces the risk in case a parser is compromised, but using such user is not the default configuration (you have to create one and uncomment these lines). That could be added to the Debian package. Or, do you mean an additional mechanism to start as user (like file capabilities) ? Technically, file capabilities already work, however the required capability will depend on the capture method. Regards, Pierre
