Nmap Development mailing list archives
Re: Privilege checks in broadcast-* scripts
From: Kris Katterjohn <katterjohn () gmail com>
Date: Sat, 14 Jan 2012 14:55:34 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/14/2012 01:44 PM, Henri Doreau wrote:
Hi Patrik, 2012/1/14 Patrik Karlsson <patrik () cqure net>:While implementing another script today I saw one drawback of having this check in the prerule. I would personally prefer the script to return the error as a script result rather than having to run nmap in verbose/debug mode to find out that it's "silently" failing due to permission issues. What do you think?well, just my opinion but I think that having the check in the script rule is better. As a user I would find annoying to have "lack of privileges" messages within the script results, that would also end up in XML reports... As a script writer, if a script fails at delivering results one of the first things I would do is to re-run nmap with an higher verbosity level, so I don't find the current situation problematical. I would therefore rather prefer to avoid mixing error messages -that don't bring any information about the target- and actual script results. What do other people think about it?
After I wrote is_privileged(), I did the rootfail stuff in order to notify the user of the problem without spewing forth a bunch of identical script output that was just an error message anyway. At the time (a long time ago now it seems), the only scripts using a lot of these things I implemented (or started doing) were just mine anyway, and since I was playing around a lot with them I didn't like the idea of every script on every host needlessly giving me the same message. And since I always run with debugging, I tried to keep it to just one message per script (regardless of how many hosts), again to reduce how many messages I'd see. I haven't been following this closely, but since this sounds similar, I say keep the error messages (like lacking privileges) out of the script output and in verbose/debugging. Otherwise, we'd be using script output to tell the user that they messed up (by not running with proper privileges). To me, that doesn't seem right.
Regards.
Cheers, Kris Katterjohn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPEeu5AAoJEEQxgFs5kUfugWEP+wbS+q5X6WP8FNsfslqVJvCz ZgJoOGMfu8NvN4cnc+VMB0yzT9y1/cxzgzh8KnHpRWqobCMT97/i8k9CZ9oaggaj Crn0eD6FtRX/qdulub9dQEvl8Z17uNlZiWKYiCHQ64NNKTSFdhpqzOQaef0oplq/ I5kGxBIuNrJzkeCDEagKIEgN/0doIPsv70UBAx0TTmK4MJsdX0mziT3IP/7H1oOC iIkqKZ9GBWAchuDhjtgI7UCoWcOPdynExhI092pvpRCXOIbUul0W0qa1pbY9LnuH NQFjuDXlfzG7L9PSP+QO/k41jlT6GCUAYbRhaFuqQHoy8TCBAeRoDI2kCx2OTuGO GpHh2ZeCKoyj/A99XwKgQrKAgSQhH7pgcvy7x1sMs+t25Qbj/QGO9QbQ7EErcbQ8 G6kTnmNsr06k4blNLnwVwMpPvBmv7Esr+DNtzAbKBrm7d3mJnvMnzbmuBSAv17yJ Lr3PpGrUrtgwgJtB3Lc3KR50QKkOj3nvuuaIldcLPgSoNAKeKqqkKUqsz/M1MUrf 1RZ262fGfG4MZQqFsom1efK6t1e/jGRdSmDCVym6JrorowoOEFQMlqN+PWnlTmjE ZvO4PdZfpXzmBLtuAk/Pc7Ubn2G/HS83udM/4GPf8kaHxtDDLxp8FNMUC+giHcWh Bkcvkmm2/7LU4CugyG2n =Kjta -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Privilege checks in broadcast-* scripts Henri Doreau (Jan 13)
- Re: Privilege checks in broadcast-* scripts Patrik Karlsson (Jan 13)
- Re: Privilege checks in broadcast-* scripts Henri Doreau (Jan 13)
- Re: Privilege checks in broadcast-* scripts Henri Doreau (Jan 13)
- Re: Privilege checks in broadcast-* scripts Patrik Karlsson (Jan 13)
- Re: Privilege checks in broadcast-* scripts Henri Doreau (Jan 13)
- Re: Privilege checks in broadcast-* scripts Patrik Karlsson (Jan 14)
- Re: Privilege checks in broadcast-* scripts Henri Doreau (Jan 14)
- Re: Privilege checks in broadcast-* scripts Kris Katterjohn (Jan 14)
- Re: Privilege checks in broadcast-* scripts Patrik Karlsson (Jan 15)
- Re: Privilege checks in broadcast-* scripts Kris Katterjohn (Jan 15)
- Re: Privilege checks in broadcast-* scripts Patrik Karlsson (Jan 15)
- Re: Privilege checks in broadcast-* scripts Kris Katterjohn (Jan 15)
- Re: Privilege checks in broadcast-* scripts Henri Doreau (Jan 13)
- Re: Privilege checks in broadcast-* scripts Henri Doreau (Jan 16)
- Re: Privilege checks in broadcast-* scripts Patrik Karlsson (Jan 13)