Nmap Development mailing list archives
Re: Privilege checks in broadcast-* scripts
From: Patrik Karlsson <patrik () cqure net>
Date: Sun, 15 Jan 2012 12:01:53 +0100
On Sat, Jan 14, 2012 at 9:55 PM, Kris Katterjohn <katterjohn () gmail com>wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/14/2012 01:44 PM, Henri Doreau wrote:Hi Patrik, 2012/1/14 Patrik Karlsson <patrik () cqure net>:While implementing another script today I saw one drawback of havingthischeck in the prerule. I would personally prefer the script to return the error as a scriptresultrather than having to run nmap in verbose/debug mode to find out thatit's"silently" failing due to permission issues. What do you think?well, just my opinion but I think that having the check in the script rule is better. As a user I would find annoying to have "lack of privileges" messages within the script results, that would also end up in XML reports... As a script writer, if a script fails at delivering results one of the first things I would do is to re-run nmap with an higher verbosity level, so I don't find the current situation problematical. I would therefore rather prefer to avoid mixing error messages -that don't bring any information about the target- and actual script results. What do other people think about it?After I wrote is_privileged(), I did the rootfail stuff in order to notify the user of the problem without spewing forth a bunch of identical script output that was just an error message anyway. At the time (a long time ago now it seems), the only scripts using a lot of these things I implemented (or started doing) were just mine anyway, and since I was playing around a lot with them I didn't like the idea of every script on every host needlessly giving me the same message. And since I always run with debugging, I tried to keep it to just one message per script (regardless of how many hosts), again to reduce how many messages I'd see. I haven't been following this closely, but since this sounds similar, I say keep the error messages (like lacking privileges) out of the script output and in verbose/debugging. Otherwise, we'd be using script output to tell the user that they messed up (by not running with proper privileges). To me, that doesn't seem right.Regards.Cheers, Kris Katterjohn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPEeu5AAoJEEQxgFs5kUfugWEP+wbS+q5X6WP8FNsfslqVJvCz ZgJoOGMfu8NvN4cnc+VMB0yzT9y1/cxzgzh8KnHpRWqobCMT97/i8k9CZ9oaggaj Crn0eD6FtRX/qdulub9dQEvl8Z17uNlZiWKYiCHQ64NNKTSFdhpqzOQaef0oplq/ I5kGxBIuNrJzkeCDEagKIEgN/0doIPsv70UBAx0TTmK4MJsdX0mziT3IP/7H1oOC iIkqKZ9GBWAchuDhjtgI7UCoWcOPdynExhI092pvpRCXOIbUul0W0qa1pbY9LnuH NQFjuDXlfzG7L9PSP+QO/k41jlT6GCUAYbRhaFuqQHoy8TCBAeRoDI2kCx2OTuGO GpHh2ZeCKoyj/A99XwKgQrKAgSQhH7pgcvy7x1sMs+t25Qbj/QGO9QbQ7EErcbQ8 G6kTnmNsr06k4blNLnwVwMpPvBmv7Esr+DNtzAbKBrm7d3mJnvMnzbmuBSAv17yJ Lr3PpGrUrtgwgJtB3Lc3KR50QKkOj3nvuuaIldcLPgSoNAKeKqqkKUqsz/M1MUrf 1RZ262fGfG4MZQqFsom1efK6t1e/jGRdSmDCVym6JrorowoOEFQMlqN+PWnlTmjE ZvO4PdZfpXzmBLtuAk/Pc7Ubn2G/HS83udM/4GPf8kaHxtDDLxp8FNMUC+giHcWh Bkcvkmm2/7LU4CugyG2n =Kjta -----END PGP SIGNATURE-----
The problem I see is that currently, an empty script result could mean either: - The script finished successfully, but didn't find anything to report - The script didn't run because it didn't have the appropriate privileges to do so - The script crashed for some reason and failed to complete While I get that some of us at nmap-dev would just increase verbosity and run again to see what's happening, I'm not sure this applies to everyone. I guess the problem relates to a previous discussion about errors in general not being reported properly and the only way to see if a script crashed, failed due to insufficient privileges or simply didn't find anything to report is by running in debug mode. I think there's a risk here that you rely on a script doing it's job and not finding anything, while in reality it just crashed and didn't do anything. So, in regards to the is_privileged checks, let's keep the checks in the prerule until we find a general way to report errors back to the user without cluttering the XML reports? There might be one or two more scripts that need the change in that case. Cheers, Patrik -- Patrik Karlsson http://www.cqure.net http://twitter.com/nevdull77 _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Privilege checks in broadcast-* scripts Henri Doreau (Jan 13)
- Re: Privilege checks in broadcast-* scripts Patrik Karlsson (Jan 13)
- Re: Privilege checks in broadcast-* scripts Henri Doreau (Jan 13)
- Re: Privilege checks in broadcast-* scripts Henri Doreau (Jan 13)
- Re: Privilege checks in broadcast-* scripts Patrik Karlsson (Jan 13)
- Re: Privilege checks in broadcast-* scripts Henri Doreau (Jan 13)
- Re: Privilege checks in broadcast-* scripts Patrik Karlsson (Jan 14)
- Re: Privilege checks in broadcast-* scripts Henri Doreau (Jan 14)
- Re: Privilege checks in broadcast-* scripts Kris Katterjohn (Jan 14)
- Re: Privilege checks in broadcast-* scripts Patrik Karlsson (Jan 15)
- Re: Privilege checks in broadcast-* scripts Kris Katterjohn (Jan 15)
- Re: Privilege checks in broadcast-* scripts Patrik Karlsson (Jan 15)
- Re: Privilege checks in broadcast-* scripts Kris Katterjohn (Jan 15)
- Re: Privilege checks in broadcast-* scripts Henri Doreau (Jan 13)
- Re: Privilege checks in broadcast-* scripts Henri Doreau (Jan 16)
- Re: Privilege checks in broadcast-* scripts Patrik Karlsson (Jan 13)