Install from source and run as non-root

Hi there,

can Packetbeat be meaningfully run using a non root user?

I've got the following limitations on my servers (provided by another department in our company):

• Only standard RedHat packages can be installed via yum by the admins of the infrastructure providers
• Apache httpd starts as root, then handles the requests as another non-root service account
• Applications and other software like Redis or ES must be installed with non-root service accounts

I wonder wether Packetbeat installed and running with the non-root system account could monitor the traffic from

• Apache httpd, which has been started as root
• ES and Redis which have been started with the same non-root system account as Packetbeat?

Cheers,

Jan

Because Packetbeat needs to capture network packets from a raw socket, it needs root permissions to open the socket. You can make it drop privileges after opening the socket, similar to apache, not sure if that is enough in your case.

You should be able to do this by giving the packetbeat binary CAP_NET_RAW capability.

$ sudo setcap cap_net_raw=ep /usr/bin/packetbeat

After that you can start packetbeat as any user. This will not work in a nosuid mount (e.g. Ubuntu home directory), but /usr/bin should be fine. I'm pretty sure systemd can set process capabilities too, and that might be the most acceptable solution for your sysadmins.

It doesn't matter under which account Apache, ES or Redis are running. Packetbeat sees all the network packets on the machine it runs on.