Hi What about if you put nmap in a docker container and after each scan threw the container away and built a new one for the next scan.
That way you could lock down as far as you can, but if the user manages to read the shadow file or overwrite something important, they would only destroy their instance and not affect the rest of the system. I will add though, my docker skills are very limited, so this is just a vague idea that may be a load of rubbish. Robin On Wed, 18 Oct 2023 at 03:55, spearph...@gmail.com <spearph...@gmail.com> wrote: > > I'm trying to configure nmap to use with sudo without allowing privilege > escalation. Managed to come up with several sudoers rules for it to be usable > without allowing privilege escalation (e.g. using noexec, not allow scripts, > etc). > > However, there is an issue with the "-iL" parameter, as this can be used to > read any privileged file/s (including root only files e.g. /etc/shadow). > > (Question 1:) Any recommendation for it to still be allowed with sudo but not > be able to read privileged files? > > Tried setting up a sudoer rule for it to only be usable in a specific > directory but that was easily bypassed by using symlink/s. > > (Question 2:) Also, any recommendation for other nmap output parameters (.e.g > -oG, -oN, -oX, etc.) to be still usable with sudo but not be able to > overwrite privileged files? > > Already have sudoer rule to prevent appending to files via not allowing > "--append-output"; however those output parameters can still be used to > disrupt system (e.g. overwrite critical system file) > > (Question 3:) Also have read: > https://secwiki.org/w/Running_nmap_as_an_unprivileged_user - there is a > warning/security concern but do you think this would be a better approach > rather than coming up with several sudoers rules to prevent privilege > escalation? > > Appreciate it if there would be any response. > > Many thanks in advance. > > Best Regards, > Ameer Pornillos > _______________________________________________ > Sent through the dev mailing list > https://nmap.org/mailman/listinfo/dev > Archived at https://seclists.org/nmap-dev/ _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at https://seclists.org/nmap-dev/
