Nmap Development mailing list archives

Re: nmap to use with sudo (but prevent privilege escalation vectors)

From: Robin Wood <robin@digi.ninja>
Date: Wed, 18 Oct 2023 08:46:58 +0100

Hi
What about if you put nmap in a docker container and after each scan
threw the container away and built a new one for the next scan.

That way you could lock down as far as you can, but if the user
manages to read the shadow file or overwrite something important, they
would only destroy their instance and not affect the rest of the
system.

I will add though, my docker skills are very limited, so this is just
a vague idea that may be a load of rubbish.

Robin

On Wed, 18 Oct 2023 at 03:55, spearphish () gmail com <spearphish () gmail com> wrote:

I'm trying to configure nmap to use with sudo without allowing privilege escalation. Managed to come up with several
sudoers rules for it to be usable without allowing privilege escalation (e.g. using noexec, not allow scripts, etc).

However, there is an issue with the "-iL" parameter, as this can be used to read any privileged file/s (including
root only files e.g. /etc/shadow).

(Question 1:) Any recommendation for it to still be allowed with sudo but not be able to read privileged files?

Tried setting up a sudoer rule for it to only be usable in a specific directory but that was easily bypassed by using
symlink/s.

(Question 2:) Also, any recommendation for other nmap output parameters (.e.g -oG, -oN, -oX, etc.) to be still usable
with sudo but not be able to overwrite privileged files?

Already have sudoer rule to prevent appending to files via not allowing "--append-output"; however those output
parameters can still be used to disrupt system (e.g. overwrite critical system file)

(Question 3:) Also have read: https://secwiki.org/w/Running_nmap_as_an_unprivileged_user - there is a
warning/security concern but do you think this would be a better approach rather than coming up with several sudoers
rules to prevent privilege escalation?

Appreciate it if there would be any response.

Many thanks in advance.

Best Regards,
Ameer Pornillos
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at https://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at https://seclists.org/nmap-dev/

Current thread:

nmap to use with sudo (but prevent privilege escalation vectors) spearphish () gmail com (Oct 17)
- Re: nmap to use with sudo (but prevent privilege escalation vectors) Robin Wood (Oct 29)