Re: Privilege checks in broadcast-* scripts

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/14/2012 01:44 PM, Henri Doreau wrote:
> Hi Patrik,
>
> 2012/1/14 Patrik Karlsson <patrik () cqure net>:
> > While implementing another script today I saw one drawback of having this
> > check in the prerule.
> > I would personally prefer the script to return the error as a script result
> > rather than having to run nmap in verbose/debug mode to find out that it's
> > "silently" failing due to permission issues. What do you think?
> well, just my opinion but I think that having the check in the script
> rule is better.
>
> As a user I would find annoying to have "lack of privileges" messages
> within the script results, that would also end up in XML reports...
> As a script writer, if a script fails at delivering results one of the
> first things I would do is to re-run nmap with an higher verbosity
> level, so I don't find the current situation problematical.
>
> I would therefore rather prefer to avoid mixing error messages -that
> don't bring any information about the target- and actual script
> results.
>
> What do other people think about it?

After I wrote is_privileged(), I did the rootfail stuff in order to notify the
user of the problem without spewing forth a bunch of identical script output
that was just an error message anyway.  At the time (a long time ago now it
seems), the only scripts using a lot of these things I implemented (or started
doing) were just mine anyway, and since I was playing around a lot with them I
didn't like the idea of every script on every host needlessly giving me the
same message.  And since I always run with debugging, I tried to keep it to
just one message per script (regardless of how many hosts), again to reduce
how many messages I'd see.

I haven't been following this closely, but since this sounds similar, I say
keep the error messages (like lacking privileges) out of the script output and
in verbose/debugging.  Otherwise, we'd be using script output to tell the user
that they messed up (by not running with proper privileges).  To me, that
doesn't seem right.

> Regards.

Cheers,
Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPEeu5AAoJEEQxgFs5kUfugWEP+wbS+q5X6WP8FNsfslqVJvCz
ZgJoOGMfu8NvN4cnc+VMB0yzT9y1/cxzgzh8KnHpRWqobCMT97/i8k9CZ9oaggaj
Crn0eD6FtRX/qdulub9dQEvl8Z17uNlZiWKYiCHQ64NNKTSFdhpqzOQaef0oplq/
I5kGxBIuNrJzkeCDEagKIEgN/0doIPsv70UBAx0TTmK4MJsdX0mziT3IP/7H1oOC
iIkqKZ9GBWAchuDhjtgI7UCoWcOPdynExhI092pvpRCXOIbUul0W0qa1pbY9LnuH
NQFjuDXlfzG7L9PSP+QO/k41jlT6GCUAYbRhaFuqQHoy8TCBAeRoDI2kCx2OTuGO
GpHh2ZeCKoyj/A99XwKgQrKAgSQhH7pgcvy7x1sMs+t25Qbj/QGO9QbQ7EErcbQ8
G6kTnmNsr06k4blNLnwVwMpPvBmv7Esr+DNtzAbKBrm7d3mJnvMnzbmuBSAv17yJ
Lr3PpGrUrtgwgJtB3Lc3KR50QKkOj3nvuuaIldcLPgSoNAKeKqqkKUqsz/M1MUrf
1RZ262fGfG4MZQqFsom1efK6t1e/jGRdSmDCVym6JrorowoOEFQMlqN+PWnlTmjE
ZvO4PdZfpXzmBLtuAk/Pc7Ubn2G/HS83udM/4GPf8kaHxtDDLxp8FNMUC+giHcWh
Bkcvkmm2/7LU4CugyG2n
=Kjta
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/