Re: Privilege checks in broadcast-* scripts

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/15/2012 05:01 AM, Patrik Karlsson wrote:
> On Sat, Jan 14, 2012 at 9:55 PM, Kris Katterjohn <katterjohn () gmail com
> On 01/14/2012 01:44 PM, Henri Doreau wrote:
> > I would therefore rather prefer to avoid mixing error messages -that
> > don't bring any information about the target- and actual script
> > results.
>
> > What do other people think about it?
>
>
> After I wrote is_privileged(), I did the rootfail stuff in order to notify the
> user of the problem without spewing forth a bunch of identical script output
> that was just an error message anyway.  At the time (a long time ago now it
> seems), the only scripts using a lot of these things I implemented (or started
> doing) were just mine anyway, and since I was playing around a lot with them I
> didn't like the idea of every script on every host needlessly giving me the
> same message.  And since I always run with debugging, I tried to keep it to
> just one message per script (regardless of how many hosts), again to reduce
> how many messages I'd see.
>
> I haven't been following this closely, but since this sounds similar, I say
> keep the error messages (like lacking privileges) out of the script output and
> in verbose/debugging.  Otherwise, we'd be using script output to tell the user
> that they messed up (by not running with proper privileges).  To me, that
> doesn't seem right.
>
> > Regards.
>
>
> Cheers,
> Kris Katterjohn

> The problem I see is that currently, an empty script result could mean either:
> - The script finished successfully, but didn't find anything to report
> - The script didn't run because it didn't have the appropriate privileges to do so
> - The script crashed for some reason and failed to complete

> While I get that some of us at nmap-dev would just increase verbosity and run
> again to see what's happening, I'm not sure this applies to everyone. I guess
> the problem relates to a previous discussion about errors in general not being
> reported properly and the only way to see if a script crashed, failed due to
> insufficient privileges or simply didn't find anything to report is by running
> in debug mode. I think there's a risk here that you rely on a script doing
> it's job and not finding anything, while in reality it just crashed and didn't
> do anything.

> So, in regards to the is_privileged checks, let's keep the checks in the
> prerule until we find a general way to report errors back to the user without
> cluttering the XML reports? There might be one or two more scripts that need
> the change in that case.

That's cool, if you also mean without cluttering the normal output, too.  If
this just means still using my rootfail solution, then that's fine, as long as
every script on every host doesn't needlessly give me the same error message.

> Cheers,
> Patrik

Cheers,
Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPExMZAAoJEEQxgFs5kUfuDLQQALwhWjfXtwHMvE2UazxvjHa6
DiSjeLbyhzdjkqV/xMJntnR6wa6H0exlE/d9AV/P0rdRCBs4P0MJdb0CONaO7GL9
PTNUpDrDplKrPU+E8kdfmeePAjMA8ZAH5rVoGhh5rHeB3DwaCEE6H6Xd+YjiViMf
OwMLVErDKV0p8Fvu5g6p1wa/Vk59QR70htqrkwHx8eC5XC6fu2ylAgBH5BUJ5kJ7
qjvZSXLy5RJCPOIHQqir/D44bsJYsoDDFdOB6f0zgTPDF25JeGrVlV62Fv2Gy4GV
G6cvwuM6FgWLtzYsDpMX7Oa3odJMUinqXVpH1WDrsu2fq4RX3xHQX6ykS244pJD1
/S4IiHz/+3dfTd5zb9f46F000Skvhbu2EQewhjW71Uyx1gYt3XiB4cL+sLm2RRlH
Swuvcf9JuHlNJl8uYSOa+qeBCAm5iLlhnSvh8BJIcrunT+/3TculdN1VuZkB8qiP
693BAWo5Y8vP5VBzMTz6YKcUw5ltet2FfTBhkXi3i1COhfhGF78JBP2mpDk4CPAN
Biu8wJ4N7Y0A9IyQ5FGMiIPkhiXBVPMrYN7ct7UZhv8uIxcXu6/f2AYCFivAinJS
kFuUXTCzohz49Iak5D8arvbxGXRM+fM1tEwf/EEAfL9HHEHAyIDQvRjQRojdd2hr
LFxjatsQDPBr6f4R0A+B
=/A6Y
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/