Re: Draft for hosted cgi

[Arturo 'Buanzo' Busleiman <buanzo () buanzo com ar>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Julien Delange wrote:
> - The separation between daemon and cgi is very important, because run nmap
> through Apache is a __very__ bad idea (it means you have nmap suid or you
> have to run apache as root, ...)

Three more options:

1) use sudo (which, of course, is like running nmap as root)
2) use scan types that no rely on root privileges
3) use linux capabilities, to grant an unprivileged user the required raw sockets capabilities.

- --
Arturo "Buanzo" Busleiman - VPN Mail Project - http://vpnmail.buanzo.com.ar
Consultor en Seguridad Informatica - http://www.buanzo.com.ar
My Linux and Security Blog at http://linux-consulting.buanzo.com.ar/

Romper un sistema de seguridad los acerca tanto a ser hackers como
encender autos puenteando los convierte en ingenieros automotrices.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEdDdMAlpOsGhXcE0RAvXNAJ4tIuE+u/Beyo2qo5j6ICZMvNXBlgCffNv+
smIMa7dyU3TvpyTAyxfb/BQ=
=BMnM
-----END PGP SIGNATURE-----


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev