Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 492794 - net-analyzer/nmap - use file capabilities to remove need for root to run nmap
Summary: net-analyzer/nmap - use file capabilities to remove need for root to run nmap
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Netmon project
URL:
Whiteboard:
Keywords: NeedPatch
Depends on:
Blocks:
 
Reported: 2013-11-28 13:37 UTC by Andrew Waters
Modified: 2015-05-14 10:08 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Waters 2013-11-28 13:37:38 UTC 
nmap requires root access. It would be useful to use file capabilities, as per wireshark, to allow nmap to be run as a normal user.

Details can be found here:
https://secwiki.org/w/Running_nmap_as_an_unprivileged_user

Reproducible: Always

Actual Results:  
$ nmap -sU -F --privilege 192.168.12.2

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-28 13:11 GMT
socket troubles in Init: Operation not permitted (1)

Expected Results:  
$ nmap -sU -F --privilege 192.168.12.2

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-28 13:14 GMT
Nmap scan report for icon (192.168.12.2)
Host is up (0.00021s latency).
PORT    STATE  SERVICE
4/udp   closed unassigned
161/udp closed snmp

Read from /usr/bin/../share/nmap: nmap-services.
Read from /usr/bin/../share/nmap: nmap-payloads.
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
Comment 1 Rick Farina (Zero_Chaos) gentoo-dev 2015-05-12 16:28:59 UTC 
I've added the fcaps and done some basic testing and it appears to work as expected when I spell privileged correctly.  Please test and confirm that this works, and if anyone could check that I did this right that would be even better.
Comment 2 Rick Farina (Zero_Chaos) gentoo-dev 2015-05-12 16:29:52 UTC 
nmap live (9999) ebuild has been updated.  I will backport the changes as soon as someone else confirms that the filecaps were done correctly and I didn't just do something terrible.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2015-05-13 05:21:22 UTC 
So you added it to an ebuild that no one will be testing.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2015-05-13 05:48:42 UTC 
If your implementation is buggy we'll fix that through a new bug report.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2015-05-14 09:58:47 UTC 
Your implementation _was_ buggy. You were not setting proper ownership and permissions in the case where fcaps.eclass succeeded to set the capabilities, allowing _anyone_ to send raw packets. I have reverted those changes.

Reopen this bug report when you have a safe patch and don't commit anything.

Looks like someone removed the LATER resolution so I'll leave the bug status in place for now.
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2015-05-14 10:08:10 UTC 
CC'ing security as they may want to evaluate whether this needs to go through the usual GLSA mangling.

During a period of about a day, both net-analyzer/nmap-9999 (not keyworded) and net-analyzer/nmap-6.47-r3 (marked ~arch) allowed any user to run nmap with capabilities cap_net_raw,cap_net_admin,cap_net_bind_service+eip, possibly resulting in a security breach. All fcaps.eclass related changes have since been reverted.