AF_PACKET fails to initialize when running with limited privileges
If I run Suricata with AF_PACKET as shown below, everything is fine:
suricata -c /etc/suricata/suricata.yaml --af-packet=eth0
However, if I tell Suricata to drop to a non-root user like this:
suricata --user sguil --group sguil -c /etc/suricata/suricata.yaml --af-packet=eth0
it drops the capabilities and then AF_PACKET fails to initialize.
Should Suricata initialize AF_PACKET first, and then drop capabilities?
Updated by Eric Leblond about 12 years ago
- File 0001-Add-AF_PACKET-to-capability-system.patch 0001-Add-AF_PACKET-to-capability-system.patch added
- % Done changed from 0 to 90
AF_PACKET behaves like pcap from a capability point of view. The attached patch just translate this in code.