Nmap Development mailing list archives
[Patch] Automatically switch to privileged when Nmap has required capabilities
From: Jay Bosamiya <jaybosamiya () gmail com>
Date: Wed, 13 Aug 2014 16:52:27 +0530
Hi All! Until now, even if Nmap had capabilities (CAP_NET_RAW, CAP_NET_ADMIN, CAP_NET_BIND_SERVICE), it would not be able to use them unless --privileged was specified. The attached patch let's Nmap automatically switch to privileged if it has all the above capabilities. The patch requires the libcap library but we don't need to ship it with Nmap since it is a pretty common library. While I was working on this feature, I got a couple of ideas for follow ups: * If the executable itself has been granted the capabilities (using `sudo setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip nmap`) and if Nmap is run as root, then tell the user that root is unnecessary, drop privileges and switch to the user "nobody/nogroup". This seems to be having some problems, however, when implementing. The moment the user is dropped to nobody/nogroup, the capabilities too are unusable. I am still looking into this. * When installing Nmap through "make install", we can grant the capabilities (by default) so that users can use privileged features without the security risk of running as root. * If the user specifies --unprivileged, drop the user to "nobody/nogroup" whenever possible so that it is more secure. What do you think about the ideas? Feedback (for patch and/or ideas) is appreciated, as always :) Note: When reviewing the patch, you can ignore the changes to the configure script since it is automatically generated using autoconf. Cheers, Jay
Attachment:
capabilities.patch
Description:
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [Patch] Automatically switch to privileged when Nmap has required capabilities Jay Bosamiya (Aug 13)
- Re: [Patch] Automatically switch to privileged when Nmap has required capabilities Daniel Miller (Aug 13)
- Re: [Patch] Automatically switch to privileged when Nmap has required capabilities nnposter (Aug 13)
- Re: [Patch] Automatically switch to privileged when Nmap has required capabilities Patrick Donnelly (Aug 13)
- Re: [Patch] Automatically switch to privileged when Nmap has required capabilities Jay Bosamiya (Aug 17)
- Re: [Patch] Automatically switch to privileged when Nmap has required capabilities Patrick Donnelly (Aug 18)
- Re: [Patch] Automatically switch to privileged when Nmap has required capabilities Daniel Miller (Aug 18)
- Re: [Patch] Automatically switch to privileged when Nmap has required capabilities Jay Bosamiya (Aug 18)
- Re: [Patch] Automatically switch to privileged when Nmap has required capabilities Daniel Miller (Aug 13)