On Mon, May 16, 2005 at 10:48:00PM +0200, Felix Gröbert wrote:
> A setuid nmap executeable is a bad idea. So do not chmod +s it if your
> friend wants to test his firewall rules from your box:
I agree. And the man page makes this crystal clear in 2 places:
"nmap should be run as root whenever possible (not setuid root, of
course)."
"Nmap should never be installed with special privileges (eg suid
root) for security reasons."
> A nice backdoor... --interactive isn't in the man page, maybe for a
> reason
It's not a backdoor, since people have to install Nmap in a
non-default way in direct violation of repeated security warnings in
the man page in order to be "vulnerable". And as others have noted on
this thread, interactive mode is only one of many huge security risks
of running Nmap setuid.
Interactive mode isn't in the man page, though here is the text from
the release announcement when it was added more than 5 years ago:
"[2.3BETA12] contains some cool new features. One is interactive
mode, which gives you an interactive Nmap prompt and allows you
easily launch multiple scans (either synchronously or in the
background). This is useful for people who scan from multi-user
systems -- they often want to test their security without letting
everyone else on the system knowing exactly what systems they are
scanning. Use --interactive to activate this mode and then type 'h'
for help."
--http://seclists.org/lists/nmap-hackers/2000/Jan-Mar/0000.html
I've added a short note about --interactive to the man page for the
next Nmap. But it is a relatively useless option that I may
eventually remove. Your normal shell is probably much more
convenient.
Cheers,
-F
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Received on May 16 2005
Intro
