This documentation is no longer maintained and exists for historical purposes. The current documentation is located at http://suricata.readthedocs.io/.
Dropping Privileges After Startup¶
Currently, libcap-ng is needed for dropping privileges on Suricata after startup. For libcap, see status of feature request number #276 -- Libcap support for dropping privileges.
Download the current version of libcap-ng from upstream, see also http://people.redhat.com/sgrubb/libcap-ng/ChangeLog
wget http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-0.7.4.tar.gz tar -xzvf libcap-ng-0.7.4.tar.gz cd libcap-ng-0.7.4 ./configure make make install
Download, configure, compile, and install Suricata for your particular setup. See Suricata Installation Depending on your environment, you may need to add the --with-libpcap_ng-libraries and --with-libpcap_ng-includes options during the configure step. e.g:
./configure --with-libcap_ng-libraries=/usr/local/lib --with-libcap_ng-includes=/usr/local/include
Now, when you run Suricata, tell it what user and/or group you want it to run as after startup with the --user and --group options. e.g. (this assumes a 'suri' user and group):
/usr/local/bin/suricata -c /etc/suricata/suricata.yaml -D -i eth0 --user=suri --group=suri
You will also want to make sure your user/group permissions are set so suricata can still write to its log files which are usually located in /var/log/suricata.
mkdir -p /var/log/suricata chown -R root:suri /var/log/suricata chmod -R 775 /var/log/suricata