Nmap Development mailing list archives
Re: [NMAP::Patch] Add support for check Linux capabilities privileges
From: Fyodor <fyodor () insecure org>
Date: Sun, 13 Dec 2009 14:52:17 -0800
On Sat, Dec 12, 2009 at 10:04:13PM -0700, David Fifield wrote:
On Tue, Dec 01, 2009 at 09:41:37AM -0200, Leonardo Amaral wrote:CAP_NET_ADMIN Perform various network-related operations (e.g., setting privileged socket options, enabling multicasting, interface configuration, modifying routing tables). CAP_NET_BROADCAST (Unused) Make socket broadcasts, and listen to multicasts. CAP_NET_RAW Use RAW and PACKET sockets. Im sending the patch attached to version 5.10BETA1.Hi. This is a nice idea. If I understand correctly, this would allow nmap to be installed not setuid, with only a few capabilities set, so that non-root users could run privileged scans. It would be good for security to run Nmap as a normal user, so that any security exploits wouldn't have access to every root has access to, only some network and packet-sending privileges. We could encourage distributors to install it that way, perhaps with execution limited to an nmap group or something.
I'm certainly in favor of having patches like this available in the nmap-dev archives for people who want to try them and to gauge interest. I personally have mixed-feelings about including such a patch in mainline Nmap. My main concerns are: o How much of a maintenance headache will it be to maintain this system which only provides protection for Linux users, and not Windows, Mac, *BSD, or anything else? o If it is integrated, we have to be sure it is actually secure. It might encourage people to allow non-privileged users to run Nmap with these extra privileges. But how hard would it be for users to then "exploit" Nmap to gain arbitrary execution with CAP_NET_ADMIN, CAP_NET_BROADCAST, and CAP_NET_RAW, and what damage could they do then? So I'm not against the idea, but I think there are serious questions to address before applying any such patch. We don't want to give users a false sense of security. Still, dropping capabilities Nmap does not need when it is run as root does not sound like a bad idea if it is easy to do. My worry is about people doing the opposite and letting normal users run Nmap with these extra privileges--e.g. using the fact that capabilities are dropped as an excuse to make Nmap setuid. Cheers, -F _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NMAP::Patch] Add support for check Linux capabilities privileges Leonardo Amaral (Dec 01)
- Re: [NMAP::Patch] Add support for check Linux capabilities privileges David Fifield (Dec 12)
- Re: [NMAP::Patch] Add support for check Linux capabilities privileges Fyodor (Dec 13)
- Re: [NMAP::Patch] Add support for check Linux capabilities privileges Leonardo Amaral (Dec 13)
- Re: [NMAP::Patch] Add support for check Linux capabilities privileges David Fifield (Dec 12)