The Beat can drop privileges after creating the sniffing socket.
Root access is required for opening the socket, but everything else requires no
privileges. Therefore, it is recommended that you have the Beat switch users after
the initialization phase. The
gid settings set the User Id and Group
Id under which the Beat runs.
On Linux, Setuid doesn’t change the uid of all threads, so the Go garbage collector will continue to run as root. Also note that process monitoring only works when running as root.
Example configuration for the
runoptions section of the
packetbeat.yml config file:
packetbeat.runoptions: uid=501 gid=501
runoptions configuration is supported on Linux only.