From b47df7b33faae702f9d59f885bf32a04df964154 Mon Sep 17 00:00:00 2001 From: Adam Outler Date: Sat, 27 Sep 2025 19:48:36 -0400 Subject: [PATCH] capcheck --- Dockerfile | 8 +++++-- front/plugins/dhcp_servers/script.py | 2 +- install/alpine-docker/entrypoint.sh | 3 +++ install/alpine-docker/services/capcheck.sh | 25 ++++++++++++++++++++++ 4 files changed, 35 insertions(+), 3 deletions(-) create mode 100644 install/alpine-docker/services/capcheck.sh diff --git a/Dockerfile b/Dockerfile index c92f9b1f..fc99e770 100755 --- a/Dockerfile +++ b/Dockerfile @@ -65,7 +65,8 @@ RUN addgroup -g 20211 netalertx && \ RUN apk add --no-cache bash mtr libbsd zip lsblk sudo tzdata curl arp-scan iproute2 \ iproute2-ss nmap nmap-scripts traceroute nbtscan net-tools net-snmp-tools bind-tools awake \ - ca-certificates sqlite php83 php83-fpm php83-cgi php83-curl php83-sqlite3 php83-session python3 nginx sudo && \ + ca-certificates sqlite php83 php83-fpm php83-cgi php83-curl php83-sqlite3 php83-session python3 \ + nginx sudo libcap && \ rm -rf /var/cache/apk/* && \ rm -f /etc/nginx/http.d/default.conf @@ -81,6 +82,9 @@ RUN install -d -o netalertx -g netalertx -m 755 ${NETALERTX_API} && \ sh -c "find ${NETALERTX_APP} -type f \( -name '*.sh' -o -name 'speedtest-cli' \) \ -exec chmod 750 {} \;" +# setcap to allow nmap to run without root +RUN setcap cap_net_raw,cap_net_admin+eip /usr/bin/nmap + #initialize each service with the dockerfiles/init-*.sh scripts, once. RUN sh /build/init-nginx.sh && \ sh /build/init-php-fpm.sh && \ @@ -127,7 +131,7 @@ RUN apk del sudo && \ RUN rm -Rf /etc/sudoers.d/* /etc/shadow /etc/gshadow /etc/sudoers \ /lib/apk /lib/firmware /lib/modules-load.d /lib/sysctl.d /mnt /home/ /root \ /srv /media && \ - echo -ne '#!/bin/bash\nexit 0\n' > /usr/bin/sudo && chmod +x /usr/bin/sudo + echo -ne '#!/bin/bash\n"$@"\n' > /usr/bin/sudo && chmod +x /usr/bin/sudo diff --git a/front/plugins/dhcp_servers/script.py b/front/plugins/dhcp_servers/script.py index c434a9d3..63bd8c82 100755 --- a/front/plugins/dhcp_servers/script.py +++ b/front/plugins/dhcp_servers/script.py @@ -41,7 +41,7 @@ def main(): plugin_objects = Plugin_Objects(RESULT_FILE) timeoutSec = get_setting_value('DHCPSRVS_RUN_TIMEOUT') - nmapArgs = ['sudo', 'nmap', '--script', 'broadcast-dhcp-discover'] + nmapArgs = ['sudo', 'nmap', '--privileged' '--script', 'broadcast-dhcp-discover'] try: dhcp_probes = 1 diff --git a/install/alpine-docker/entrypoint.sh b/install/alpine-docker/entrypoint.sh index f7a10b1a..b9a2506a 100644 --- a/install/alpine-docker/entrypoint.sh +++ b/install/alpine-docker/entrypoint.sh @@ -1,5 +1,8 @@ #!/bin/bash +# verify container capabilities at startup +/services/capcheck.sh + # Function to clean up background processes cleanup() { echo "Caught signal, shutting down services..." diff --git a/install/alpine-docker/services/capcheck.sh b/install/alpine-docker/services/capcheck.sh new file mode 100644 index 00000000..56dc3b47 --- /dev/null +++ b/install/alpine-docker/services/capcheck.sh @@ -0,0 +1,25 @@ +#!/bin/sh +# check_nmap_caps.sh - Uses a real nmap command to detect missing container +# privileges and warns the user. It is silent on success. + +# Run a fast nmap command that requires raw sockets, capturing only stderr. +ERROR_OUTPUT=$(nmap --privileged -sS -p 20211 127.0.0.1 2>&1 >/dev/null) +EXIT_CODE=$? + +# If the exit code is exactly 126 AND the error message contains a known permission error... +if [ "$EXIT_CODE" -eq 126 ] && \ + echo "$ERROR_OUTPUT" | grep -q -e "Operation not permitted" -e "requires root privileges" +then + # ...then print the detailed warning. + echo "⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️" >&2 + echo " ATTENTION: This container is running without elevated" >&2 + echo " network privileges (NET_RAW/NET_ADMIN)." >&2 + echo "" >&2 + echo " Advanced network tools that require raw socket access," >&2 + echo " like 'nmap -sS', will fail." >&2 + echo "" >&2 + echo " To fix this, restart the container with the following flags:" >&2 + echo " --cap-add=NET_RAW --cap-add=NET_ADMIN" >&2 + echo "⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️" >&2 + exit 1 +fi \ No newline at end of file