Nmap Development mailing list archives
Re: [NMAP::Patch] Add support for check Linux capabilities privileges
From: David Fifield <david () bamsoftware com>
Date: Sat, 12 Dec 2009 22:04:13 -0700
On Tue, Dec 01, 2009 at 09:41:37AM -0200, Leonardo Amaral wrote:
Hello List! (Its a more or less equal the mail i've sent to Fyodor) Im has a inspired guy with insomnia (4:15a.m here :p) ive created a patch to support capabilities. It worked very well, but this patch should be revised to dont have problems with security. I think kernel knowing the app capabilities, it allow the operation automatically. Ive defined has required capabilities these: CAP_NET_ADMIN Perform various network-related operations (e.g., setting privileged socket options, enabling multicasting, interface configuration, modifying routing tables). CAP_NET_BROADCAST (Unused) Make socket broadcasts, and listen to multicasts. CAP_NET_RAW Use RAW and PACKET sockets. Im sending the patch attached to version 5.10BETA1.
Hi. This is a nice idea. If I understand correctly, this would allow nmap to be installed not setuid, with only a few capabilities set, so that non-root users could run privileged scans. It would be good for security to run Nmap as a normal user, so that any security exploits wouldn't have access to every root has access to, only some network and packet-sending privileges. We could encourage distributors to install it that way, perhaps with execution limited to an nmap group or something. For this patch to be included, it will have to compile on all the platforms Nmap compiles on now. That will mean checking for capabilities support in configure.ac, and then conditionally compiling the parts that use capabilities. What do you mean when you say the patch should be revised not to have problems with security? David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NMAP::Patch] Add support for check Linux capabilities privileges Leonardo Amaral (Dec 01)
- Re: [NMAP::Patch] Add support for check Linux capabilities privileges David Fifield (Dec 12)
- Re: [NMAP::Patch] Add support for check Linux capabilities privileges Fyodor (Dec 13)
- Re: [NMAP::Patch] Add support for check Linux capabilities privileges Leonardo Amaral (Dec 13)
- Re: [NMAP::Patch] Add support for check Linux capabilities privileges David Fifield (Dec 12)