From: John Audia <therealgraysky@proton.me>
Date: Wed, 10 Sep 2025 21:06:30 +0000 (-0400)
Subject: snort3: run as regular user rather than as root
X-Git-Url: http://git.openwrt.org/?a=commitdiff_plain;h=69117bf2d5ecd5cc64c3f089df2641c0ba12611b;p=feed%2Fpackages.git

snort3: run as regular user rather than as root

Running as a dedicated user is better from both a security and an
isolation perspective than running as root.

Signed-off-by: John Audia <therealgraysky@proton.me>
---

diff --git a/net/snort3/Makefile b/net/snort3/Makefile
index 53b1f8279e..753c3e923f 100644
--- a/net/snort3/Makefile
+++ b/net/snort3/Makefile
@@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=snort3
 PKG_VERSION:=3.9.6.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/snort3/snort3/tar.gz/$(PKG_VERSION)?
@@ -30,6 +30,7 @@ define Package/snort3
     +kmod-nft-queue +liblzma +ucode +ucode-mod-fs +ucode-mod-uci \
     +PACKAGE_gperftools:gperftools \
     +PACKAGE_vectorscan:vectorscan
+  USERID:=snort=975:snort=975
   TITLE:=Lightweight Network Intrusion Detection System
   URL:=http://www.snort.org/
   MENU:=1
diff --git a/net/snort3/files/snort.init b/net/snort3/files/snort.init
index f73ebe8799..df704800f7 100644
--- a/net/snort3/files/snort.init
+++ b/net/snort3/files/snort.init
@@ -43,6 +43,14 @@ start_service() {
 		procd_set_param env SNORT_LUA_PATH="$config_dir"
 		procd_set_param file $CONFIGFILE
 	fi
+	[ -x /sbin/ujail -a -e /etc/capabilities/snort.json ] && {
+		chown -R snort:snort "$config_dir"
+		procd_add_jail snort
+		procd_set_param capabilities /etc/capabilities/snort.json
+		procd_set_param user snort
+		procd_set_param group snort
+		procd_set_param no_new_privs 1
+	}
 	procd_set_param respawn
 	procd_set_param stdout 0
 	procd_set_param stderr 1
diff --git a/net/snort3/files/snort.json b/net/snort3/files/snort.json
new file mode 100644
index 0000000000..aacfd7e16a
--- /dev/null
+++ b/net/snort3/files/snort.json
@@ -0,0 +1,27 @@
+{
+	"bounding": [
+		"CAP_NET_ADMIN",
+		"CAP_NET_RAW",
+		"CAP_IPC_LOCK"
+	],
+	"effective": [
+		"CAP_NET_ADMIN",
+		"CAP_NET_RAW",
+		"CAP_IPC_LOCK"
+	],
+	"ambient": [
+		"CAP_NET_ADMIN",
+		"CAP_NET_RAW",
+		"CAP_IPC_LOCK"
+	],
+	"permitted": [
+		"CAP_NET_ADMIN",
+		"CAP_NET_RAW",
+		"CAP_IPC_LOCK"
+	],
+	"inheritable": [
+		"CAP_NET_ADMIN",
+		"CAP_NET_RAW",
+		"CAP_IPC_LOCK"
+	]
+}