Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 4 May 2011 02:11:54 +0400
From: Solar Designer <solar@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: Re: Nmap 5.51

Hi,

I'm sorry for the delayed response.  Please see below:

On Mon, Apr 18, 2011 at 02:21:34AM +0100, Djalal Harouni wrote:
> I was reviewing the Owl Nmap patch [1] to drop privileges, and I've
> noticed that the Script Pre-scanning phase will run before dropping
> privileges, actually there are two issues.
> 
> Some background:
> The Script Pre-scanning phase is a new NSE (Nmap Scripting Engine)
> scan phase which occurs before Nmap starts classic scanning. Scripts in
> this phase can do host/network discovery stuff (broadcast ...) and add
> the discovered targets to the Nmap scanning queue. There is even a new
> committed script 'target-sniffer.nse' to push sniffed targets into the
> Nmap queue. Currently in the nmap-trunk more than 10 scripts will run
> during this script scan phase.
> 
> 
> 1) I think that privileges should be dropped before any scan. 

Yes.  I was not aware of this pre-scanning phase.  I thought we were
merely parsing the scripts before dropping privileges.

> 2) some (perhaps all) Pre-scanning scripts will not work with this patch
> since they need some info (network interfaces ...) which are not
> available at that time. The pre-scanning phase should not be moved, but
> you can move the open_nse() call if you want to initialize NSE before
> drop_priv().
> 
> 
> I want to contribute to Owl, so let me know if you want me to adjust the
> patch, or if you have some other suggestions.

It'd be great if you adjust and submit a patch for our review and likely
inclusion in Owl.

As a possible next step, maybe you could revise the patch such that it
would be acceptable upstream (perhaps introduce a configure option)?

Thank you!

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ