Re: Privilege checks in broadcast-* scripts

[Patrik Karlsson <patrik () cqure net>]

On Sat, Jan 14, 2012 at 9:55 PM, Kris Katterjohn <katterjohn () gmail com>wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/14/2012 01:44 PM, Henri Doreau wrote:
> > Hi Patrik,
> >
> > 2012/1/14 Patrik Karlsson <patrik () cqure net>:
> > > While implementing another script today I saw one drawback of having
> this
> > > check in the prerule.
> > > I would personally prefer the script to return the error as a script
> result
> > > rather than having to run nmap in verbose/debug mode to find out that
> it's
> > > "silently" failing due to permission issues. What do you think?
> > well, just my opinion but I think that having the check in the script
> > rule is better.
> >
> > As a user I would find annoying to have "lack of privileges" messages
> > within the script results, that would also end up in XML reports...
> > As a script writer, if a script fails at delivering results one of the
> > first things I would do is to re-run nmap with an higher verbosity
> > level, so I don't find the current situation problematical.
> >
> > I would therefore rather prefer to avoid mixing error messages -that
> > don't bring any information about the target- and actual script
> > results.
> >
> > What do other people think about it?
>
> After I wrote is_privileged(), I did the rootfail stuff in order to notify
> the
> user of the problem without spewing forth a bunch of identical script
> output
> that was just an error message anyway.  At the time (a long time ago now it
> seems), the only scripts using a lot of these things I implemented (or
> started
> doing) were just mine anyway, and since I was playing around a lot with
> them I
> didn't like the idea of every script on every host needlessly giving me the
> same message.  And since I always run with debugging, I tried to keep it to
> just one message per script (regardless of how many hosts), again to reduce
> how many messages I'd see.
>
> I haven't been following this closely, but since this sounds similar, I say
> keep the error messages (like lacking privileges) out of the script output
> and
> in verbose/debugging.  Otherwise, we'd be using script output to tell the
> user
> that they messed up (by not running with proper privileges).  To me, that
> doesn't seem right.
>
> > Regards.
>
> Cheers,
> Kris Katterjohn
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQIcBAEBAgAGBQJPEeu5AAoJEEQxgFs5kUfugWEP+wbS+q5X6WP8FNsfslqVJvCz
> ZgJoOGMfu8NvN4cnc+VMB0yzT9y1/cxzgzh8KnHpRWqobCMT97/i8k9CZ9oaggaj
> Crn0eD6FtRX/qdulub9dQEvl8Z17uNlZiWKYiCHQ64NNKTSFdhpqzOQaef0oplq/
> I5kGxBIuNrJzkeCDEagKIEgN/0doIPsv70UBAx0TTmK4MJsdX0mziT3IP/7H1oOC
> iIkqKZ9GBWAchuDhjtgI7UCoWcOPdynExhI092pvpRCXOIbUul0W0qa1pbY9LnuH
> NQFjuDXlfzG7L9PSP+QO/k41jlT6GCUAYbRhaFuqQHoy8TCBAeRoDI2kCx2OTuGO
> GpHh2ZeCKoyj/A99XwKgQrKAgSQhH7pgcvy7x1sMs+t25Qbj/QGO9QbQ7EErcbQ8
> G6kTnmNsr06k4blNLnwVwMpPvBmv7Esr+DNtzAbKBrm7d3mJnvMnzbmuBSAv17yJ
> Lr3PpGrUrtgwgJtB3Lc3KR50QKkOj3nvuuaIldcLPgSoNAKeKqqkKUqsz/M1MUrf
> 1RZ262fGfG4MZQqFsom1efK6t1e/jGRdSmDCVym6JrorowoOEFQMlqN+PWnlTmjE
> ZvO4PdZfpXzmBLtuAk/Pc7Ubn2G/HS83udM/4GPf8kaHxtDDLxp8FNMUC+giHcWh
> Bkcvkmm2/7LU4CugyG2n
> =Kjta
> -----END PGP SIGNATURE-----

The problem I see is that currently, an empty script result could mean
either:
- The script finished successfully, but didn't find anything to report
- The script didn't run because it didn't have the appropriate privileges
to do so
- The script crashed for some reason and failed to complete

While I get that some of us at nmap-dev would just increase verbosity and
run again to see what's happening, I'm not sure this applies to everyone. I
guess the problem relates to a previous discussion about errors in general
not being reported properly and the only way to see if a script crashed,
failed due to insufficient privileges or simply didn't find anything to
report is by running in debug mode. I think there's a risk here that you
rely on a script doing it's job and not finding anything, while in reality
it just crashed and didn't do anything.

So, in regards to the is_privileged checks, let's keep the checks in the
prerule until we find a general way to report errors back to the user
without cluttering the XML reports? There might be one or two more scripts
that need the change in that case.

Cheers,
Patrik
-- 
Patrik Karlsson
http://www.cqure.net
http://twitter.com/nevdull77
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/