Re: Draft for hosted cgi

[Fyodor <fyodor () insecure org>]

On Fri, May 26, 2006 at 05:49:18PM -0300, Arturo 'Buanzo' Busleiman wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Fyodor wrote:
> > (I think this is where we should do the checks that the command line
> > is reasonably sized and that only known-safe options are used) (to
> > exclude things like -o or --interactive or -iL).  Also, do some sanity
> > checks such as not letting a single option argument be 2K.
>
> mmm...
>
> What about adding some --safe-only parameter to nmap that would cause it to disable the usage of
> - --interactive or --il?

Because Nmap itself really doesn't know what is "safe" in this
context.  For example, the daemon itself is likely to be adding its
own -oA option to save the results somewhere.  But clearly that is one
of the most dangerous options when Nmap is running as root.

I do like the idea of using SELinux to lock the daemon (and Nmap)
down, if Julien is using a system which includes SELinux.  That would
make it easy to say, for example, that Nmap can only write in
directories with the given nmap-output-t label or whatever.  Also,
that (SELinux config) can be added later.  Of course that should be an
_additional_ layer of protection -- it should be secure even without
that.

> Seems much better than applying "hey, let's see if we can sanitize this weeeeeeeird user-input" .

Well, to some degree it just shifts the problem of sanatizing the weird input to Nmap.

Cheers,
-F


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev