Nmap Development mailing list archives
Re: [Patch] Automatically switch to privileged when Nmap has required capabilities
From: Jay Bosamiya <jaybosamiya () gmail com>
Date: Sun, 17 Aug 2014 19:01:45 +0530
On Wednesday 13 August 2014 09:45 PM, Patrick Donnelly wrote:
I agree with Dan here. Of particular concern is the ability of a user to run arbitrary NSE scripts that can sniff network traffic and create packets with malicious headers. I do very much like the idea of Nmap downgrading privileges when run as root, keeping only the capabilities that it needs.
List, Taking into account all the discussion that happened on this topic, I've modified the original patch (a lot!). Attached is the new patch. Here's a summary of the changes: * If capabilities exist for the nmap executable file, then use them * If --unprivileged is used, then drop privileges (and also drop capabilities) * If run as root, then drop privileges without losing the capabilities that it needs * The user to drop to is currently fixed to "nobody" but the code has been written in such a way that it will be trivial to add a CLI option to choose the user to drop to (just have to do a `o.drop_user = strdup(optarg);`). I have currently not added such a CLI option because of being unsure of the security implications of this. * Two new make targets o "make setcap" grants capabilities to the nmap executable in the same directory o "make setcap-install" grants capabilities to nmap executable in the installation path Feedback is welcome as always :) Cheers, Jay
Attachment:
capabilities_with_drop_privileges.patch
Description:
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [Patch] Automatically switch to privileged when Nmap has required capabilities Jay Bosamiya (Aug 13)
- Re: [Patch] Automatically switch to privileged when Nmap has required capabilities Daniel Miller (Aug 13)
- Re: [Patch] Automatically switch to privileged when Nmap has required capabilities nnposter (Aug 13)
- Re: [Patch] Automatically switch to privileged when Nmap has required capabilities Patrick Donnelly (Aug 13)
- Re: [Patch] Automatically switch to privileged when Nmap has required capabilities Jay Bosamiya (Aug 17)
- Re: [Patch] Automatically switch to privileged when Nmap has required capabilities Patrick Donnelly (Aug 18)
- Re: [Patch] Automatically switch to privileged when Nmap has required capabilities Daniel Miller (Aug 18)
- Re: [Patch] Automatically switch to privileged when Nmap has required capabilities Jay Bosamiya (Aug 18)
- Re: [Patch] Automatically switch to privileged when Nmap has required capabilities Daniel Miller (Aug 13)