Nmap Development mailing list archives
Re: Draft for hosted cgi
From: Fyodor <fyodor () insecure org>
Date: Fri, 26 May 2006 14:06:40 -0700
On Fri, May 26, 2006 at 05:49:18PM -0300, Arturo 'Buanzo' Busleiman wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Fyodor wrote:(I think this is where we should do the checks that the command line is reasonably sized and that only known-safe options are used) (to exclude things like -o or --interactive or -iL). Also, do some sanity checks such as not letting a single option argument be 2K.mmm... What about adding some --safe-only parameter to nmap that would cause it to disable the usage of - --interactive or --il?
Because Nmap itself really doesn't know what is "safe" in this context. For example, the daemon itself is likely to be adding its own -oA option to save the results somewhere. But clearly that is one of the most dangerous options when Nmap is running as root. I do like the idea of using SELinux to lock the daemon (and Nmap) down, if Julien is using a system which includes SELinux. That would make it easy to say, for example, that Nmap can only write in directories with the given nmap-output-t label or whatever. Also, that (SELinux config) can be added later. Of course that should be an _additional_ layer of protection -- it should be secure even without that.
Seems much better than applying "hey, let's see if we can sanitize this weeeeeeeird user-input" .
Well, to some degree it just shifts the problem of sanatizing the weird input to Nmap. Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev
Current thread:
- Re: Draft for hosted cgi, (continued)
- Re: Draft for hosted cgi KarMax (May 24)
- Re: Draft for hosted cgi Arturo 'Buanzo' Busleiman (May 24)
- Re: Draft for hosted cgi Julien Delange (May 24)
- Re: Draft for hosted cgi Arturo 'Buanzo' Busleiman (May 25)
- Re: Draft for hosted cgi Richard Moore (May 24)
- Re: Draft for hosted cgi Fyodor (May 26)
- Re: Draft for hosted cgi Arturo 'Buanzo' Busleiman (May 26)
- Re: Draft for hosted cgi Fyodor (May 26)
- Re: Draft for hosted cgi Arturo 'Buanzo' Busleiman (May 26)
- Re: Draft for hosted cgi Louis Nyffenegger (May 26)
- Re: Draft for hosted cgi Fyodor (May 26)
- Re: Draft for hosted cgi Arturo 'Buanzo' Busleiman (May 26)
- Re: Draft for hosted cgi Arturo 'Buanzo' Busleiman (May 26)
- Re: Draft for hosted cgi Julien Delange (May 29)
- Re: Draft for hosted cgi KarMax (May 29)
- Re: Draft for hosted cgi Fyodor (May 29)
- Re: Draft for hosted cgi Fyodor (May 29)
- Re: Draft for hosted cgi KarMax (May 24)