Do not edit. This page has been migrated. See Converting_Wiki_Documentation_to_Sphinx.

Dropping Privileges After Startup

Currently, libcap-ng is needed for dropping privileges on Suricata after startup. For libcap, see status of feature request number #276 -- Libcap support for dropping privileges.

Download the current version of libcap-ng from upstream, see also

tar -xzvf libcap-ng-0.7.4.tar.gz
cd libcap-ng-0.7.4
make install

Download, configure, compile, and install Suricata for your particular setup. See Suricata Installation Depending on your environment, you may need to add the --with-libpcap_ng-libraries and --with-libpcap_ng-includes options during the configure step. e.g:

./configure --with-libcap_ng-libraries=/usr/local/lib --with-libcap_ng-includes=/usr/local/include

Now, when you run Suricata, tell it what user and/or group you want it to run as after startup with the --user and --group options. e.g. (this assumes a 'suri' user and group):

/usr/local/bin/suricata -c /etc/suricata/suricata.yaml -D -i eth0 --user=suri --group=suri

You will also want to make sure your user/group permissions are set so suricata can still write to its log files which are usually located in /var/log/suricata.

mkdir -p /var/log/suricata
chown -R root:suri /var/log/suricata
chmod -R 775 /var/log/suricata

If you rely on the pid files be aware that as of version 1.4.x Suricata writes the pid file before it switches uids. This means that the pid file will be owned by root and will not be readable by the alternative uid. If this is an issue for you then a work around is to set the sgid bit on the directory that the pid file will be created in. This will cause all files in this directory to inherit the gid from the parent directory rather than the creating process.

chmod g+s ~sensors/sensor1/run

ls -ld ~sensors/sensor1/run
drwxr-sr-x 2 sensors sensors 4096 Aug  9 09:20 ~sensors/sensor1/run

and so after running suricata we get

ls -ld ~sensors/sensor1/run/ 
-rw-r----- 1 root sensors 6 Aug  9 09:20 ~sensors/sensor1/run/