Is it dangerous to allow every user to run nmap as root?
772
At our university we have some computers in the "networking lab", that are configured to allow everybody to run nmap as root via /etc/sudoers. Could this be a security vulnerability?
If the users are able to scan a
production-type network, there is
the potential for causing
denial-of-service problems for
various services and systems. This
is not specifically a vulnerability
of running nmap as root however;
this is just the nature of the tool.
Sandbox the scanned network
accordingly and you'll be fine.
If there are security bugs in the
nmap application itself, then yes,
there could be vulnerabilities.
Check bugtraq and the full
disclosure mailing lists for these.
Make sure you're using the latest
version of stable nmap (I don't
recommend using beta versions of
anything for anything serious) and
you should be fine.
Lastly, if someone was able to plant
a malicious Lua script that could be
run by the nmap scripting engine
(NSE), then there is the potential
for that script to be run as root. Shell access can be gained via the NSE; see Kim's answer for details.
Of the three, the 2nd and 3rd are the ones that will be amplified by running as root. The issues will still remain as a general user; the vulnerabilities will be limited to the extent that the general user has access.
You can restrict what nmap options that can be used via the sudo config file to try and mitigate #3 by not allowing the users to utilize the NSE. Of course, if they need access to the NSE to accomplish their educational goals, then you'll likely have to accept the risk.
Letting users use computers could be a security vulnerability. Most "hacks" are inside jobs.
Anyway, nmap could be a security problem no matter what. A hammer builds houses, it also puts holes in skulls. Depends on the user and intent.
Chances are nmap in the school will be used 99% of the time the way it's intended for a learning environment. I think you almost have to allow it some root access since you're playing with ports below 1024.
The problem is that these can be used to "audit" other computers on your network.
If you want to limit the damage, consider
a) partition off the labs at the switch from being able to portscan other computers outside the lab, or selectively allow services outside the lab to be scanned or accessed if these are general usage labs.
B) run nmap on virtualized machines that the students can configure and customize but be easily wiped, maybe by ssh'ing into a virtualized student server that gives them more access. This lets you centralize management a bit better and they can do things using XLiveCD on Windows or any Linux environment on the lab computers.
Nmap can also put a strain on any network. If you have a lab of 20 machines simultaneously portscanning other machines at the same time you're going to be pushing a lot of traffic through the switches...hope they've got the horsepower to handle it or you're going to see some weird stuff.
I just found out that nmap let's the user run arbitrary lua scripts. You can get a root shell with this lua script:
There are a few areas of potential vulnerability:
If the users are able to scan a production-type network, there is the potential for causing denial-of-service problems for various services and systems. This is not specifically a vulnerability of running nmap as root however; this is just the nature of the tool. Sandbox the scanned network accordingly and you'll be fine.
If there are security bugs in the nmap application itself, then yes, there could be vulnerabilities. Check bugtraq and the full disclosure mailing lists for these. Make sure you're using the latest version of stable nmap (I don't recommend using beta versions of anything for anything serious) and you should be fine.
Lastly, if someone was able to plant a malicious Lua script that could be run by the nmap scripting engine (NSE), then there is the potential for that script to be run as root. Shell access can be gained via the NSE; see Kim's answer for details.
Of the three, the 2nd and 3rd are the ones that will be amplified by running as root. The issues will still remain as a general user; the vulnerabilities will be limited to the extent that the general user has access.
You can restrict what nmap options that can be used via the sudo config file to try and mitigate #3 by not allowing the users to utilize the NSE. Of course, if they need access to the NSE to accomplish their educational goals, then you'll likely have to accept the risk.
Letting users use computers could be a security vulnerability. Most "hacks" are inside jobs.
Anyway, nmap could be a security problem no matter what. A hammer builds houses, it also puts holes in skulls. Depends on the user and intent.
Chances are nmap in the school will be used 99% of the time the way it's intended for a learning environment. I think you almost have to allow it some root access since you're playing with ports below 1024.
The problem is that these can be used to "audit" other computers on your network.
If you want to limit the damage, consider a) partition off the labs at the switch from being able to portscan other computers outside the lab, or selectively allow services outside the lab to be scanned or accessed if these are general usage labs. B) run nmap on virtualized machines that the students can configure and customize but be easily wiped, maybe by ssh'ing into a virtualized student server that gives them more access. This lets you centralize management a bit better and they can do things using XLiveCD on Windows or any Linux environment on the lab computers.
Nmap can also put a strain on any network. If you have a lab of 20 machines simultaneously portscanning other machines at the same time you're going to be pushing a lot of traffic through the switches...hope they've got the horsepower to handle it or you're going to see some weird stuff.