Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: The results of your email commands

From: Ganesh Hegde <ganesh.hegde.samartha () gmail com>
Date: Tue, 17 Aug 2010 09:19:39 +0530
Thanks for the suggestions, David. And I am sorry for the subject line
of this posting ("The results of your email commands"). Somehow I
overlooked the subject line when starting this thread.

On Mon, Aug 16, 2010 at 7:50 PM, David Fifield <david () bamsoftware com> wrote:

On Sun, Aug 15, 2010 at 04:08:38PM +0530, Ganesh Hegde wrote:

Hi,

In one of the projects, we are faced with the requirement of detecting
the OS on remote machines and displaying the information in a table on
a web page. We decided to use a PHP script to run the nmap tool.
Although, I don't have the complete source code of the script, it's
enough to say that one of the lines in the script is:
nmap -O host-ip-address

The problem we faced was that this script wouldn't work if the process
running the script didn't have super-user privileges. The only
workaround I could think was changing the permission of the nmap
program to setuid-to-root. The OS on which the script runs is Linux.

1. In this situation what are the security concerns we need to be aware of?
2. Is there an alternate way of remotely detecting OS without using
the setuid to root permission for nmap?


It is a security risk to run Nmap setuid root. Consider, for example,
that anyone could instruct Nmap to overwrite an important system file
with a log.

http://seclists.org/nmap-dev/2005/q2/46

On Linux, a better way is to grant the nmap binary the CAP_NET_RAW
capability (with the setcap program) and then run it with the
--privileged option. This will let Nmap use raw sockets but not use any
other of root's powers.

Another way is to create a setuid wrapper program that is only capable
of running Nmap in strictly limited ways that you choose.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: