Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NMAP::Patch] Add support for check Linux capabilities privileges

From: Fyodor <fyodor () insecure org>
Date: Sun, 13 Dec 2009 14:52:17 -0800
On Sat, Dec 12, 2009 at 10:04:13PM -0700, David Fifield wrote:

On Tue, Dec 01, 2009 at 09:41:37AM -0200, Leonardo Amaral wrote:


CAP_NET_ADMIN
               Perform  various network-related operations (e.g.,
setting privileged socket options, enabling multicasting, interface
configuration, modifying routing tables).

CAP_NET_BROADCAST
        (Unused)  Make socket broadcasts, and listen to multicasts.

CAP_NET_RAW
        Use RAW and PACKET sockets.

Im sending the patch attached to version 5.10BETA1.


Hi. This is a nice idea. If I understand correctly, this would allow
nmap to be installed not setuid, with only a few capabilities set, so
that non-root users could run privileged scans. It would be good for
security to run Nmap as a normal user, so that any security exploits
wouldn't have access to every root has access to, only some network and
packet-sending privileges. We could encourage distributors to install it
that way, perhaps with execution limited to an nmap group or something.


I'm certainly in favor of having patches like this available in the
nmap-dev archives for people who want to try them and to gauge
interest.  I personally have mixed-feelings about including such a
patch in mainline Nmap.  My main concerns are:

o How much of a maintenance headache will it be to maintain this
  system which only provides protection for Linux users, and not
  Windows, Mac, *BSD, or anything else?

o If it is integrated, we have to be sure it is actually secure.  It
  might encourage people to allow non-privileged users to run Nmap with
  these extra privileges.  But how hard would it be for users to then
  "exploit" Nmap to gain arbitrary execution with CAP_NET_ADMIN,
  CAP_NET_BROADCAST, and CAP_NET_RAW, and what damage could they do
  then?

So I'm not against the idea, but I think there are serious questions
to address before applying any such patch.  We don't want to give
users a false sense of security.  Still, dropping capabilities Nmap
does not need when it is run as root does not sound like a bad idea if
it is easy to do.  My worry is about people doing the opposite and
letting normal users run Nmap with these extra privileges--e.g. using
the fact that capabilities are dropped as an excuse to make Nmap
setuid.

Cheers,
-F
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: