Home page logo

nmap-dev logo Nmap Development mailing list archives

Re: --lua-exec packaging
From: Jacek Wielemborek <wielemborekj1 () gmail com>
Date: Thu, 12 Sep 2013 17:49:09 +0200

2013/9/11 Fyodor <fyodor () nmap org>:

On Fri, Sep 6, 2013 at 7:01 PM, David Fifield <david () bamsoftware com> wrote:

On Thu, Sep 05, 2013 at 12:16:00AM +0200, Jacek Wielemborek wrote:
2013/9/5 David Fifield <david () bamsoftware com>:

What do you think about the search path concept?

I'd prefer to avoid that kind of magic until we see a need for it. It
may seem really trivial, but still searching paths is more likely to
have bugs than not. If someone writes to say, "I love your script
xxx.lua, but I hate typing /usr/local/share/ncat/scripts/xxx.lua every
time," then let's consider it more.

David makes an excellent point here.  Perhaps one option is, rather than go
all out checking a bunch of paths, to implement one which only checks the
installation directory first.  That way, as Jacek notes, we could still do
--lua-exec http.lua (maybe in the future someday just --lua-exec http).
Even though specifying an absolute path doesn't seem like much of a burden,
I can see several advantages to checking that dir automatically:

1) It makes it easier for us to document how to use these features.  Most
users don't even know their install directory and it differs by platform
(and of course can be customized by users or distributors).  So in order to
tell them how to start httpd.lua, we'd need to go into how to discovery the
install directory.

2) This is similar to #1, but most Nmap and Ncat users only understand a
tiny subset of the available options.  When doing more complex things, they
often rely on other users through web forums, chat rooms, asking friends,
etc.  It's a lot easier to pass along that knowledge if you can give an
exact command which will work on all systems.

3) We'd never put up with having to specify the path of Nmap's built-in NSE
scripts, so why require it for --lua-exec?  Admittedly this is a weak
argument since we have lots of NSE infrastructure that we probably don't
want to implement for Ncat lua-exec just yet (NSEDoc archive, etc.)

Of course it's up to David and Jacek but I, for one, wouldn't mind a "simple
path" feature.  I agree with David that there is a risk of going overboard.


I like your arguments. I implemented the "simple path" feature in
luaexec-lookup branch, commits r32297 and r32310-32311 (at least so
far). Still, I believe that a way to load scripts from user-defined
directory (maybe via an environment variable? This could easily be
done portably) could prove useful when the user has no root access.
Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]