Nmap Development mailing list archives
Re: [Patch] Automatically switch to privileged when Nmap has required capabilities
From: Patrick Donnelly <batrick () batbytes com>
Date: Wed, 13 Aug 2014 12:15:04 -0400
On Wed, Aug 13, 2014 at 8:36 AM, Daniel Miller <bonsaiviking () gmail com> wrote:
* When installing Nmap through "make install", we can grant the capabilities (by default) so that users can use privileged features without the security risk of running as root.This is not a good idea, because these capabilities are protecting privileged operations that admins may not want to grant to regular users. Specifically, being able to sniff network traffic, possibly being permitted to manage network interfaces, etc. On the other hand, we could ship a simple script to do this, or create a new make target, "make setcap" or something, to make it easier for people to do it on their own.
I agree with Dan here. Of particular concern is the ability of a user to run arbitrary NSE scripts that can sniff network traffic and create packets with malicious headers. I do very much like the idea of Nmap downgrading privileges when run as root, keeping only the capabilities that it needs. -- Patrick Donnelly _______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [Patch] Automatically switch to privileged when Nmap has required capabilities Jay Bosamiya (Aug 13)
- Re: [Patch] Automatically switch to privileged when Nmap has required capabilities Daniel Miller (Aug 13)
- Re: [Patch] Automatically switch to privileged when Nmap has required capabilities nnposter (Aug 13)
- Re: [Patch] Automatically switch to privileged when Nmap has required capabilities Patrick Donnelly (Aug 13)
- Re: [Patch] Automatically switch to privileged when Nmap has required capabilities Jay Bosamiya (Aug 17)
- Re: [Patch] Automatically switch to privileged when Nmap has required capabilities Patrick Donnelly (Aug 18)
- Re: [Patch] Automatically switch to privileged when Nmap has required capabilities Daniel Miller (Aug 18)
- Re: [Patch] Automatically switch to privileged when Nmap has required capabilities Jay Bosamiya (Aug 18)
- Re: [Patch] Automatically switch to privileged when Nmap has required capabilities Daniel Miller (Aug 13)