Monday, May 28, 2007

What can I do?

This week I've been thinking about how to implement authorization in umitWeb. In other words, I've been trying to define a way to determine what users can or cannot do running nmap on UmitWeb (once UmitWeb aways run as root on the server).

After a few days, I made a draft that describes how it will work. The mechanism is quite simple: each User will be assigned to a Role, and that role can have several Access Permissions. This appear to be an obvious way to do authorization. But how could access divided in permissions?

I found a way that I guess it's interesting: each Role will have definitions about details of command composition. For example, a Role to an user that can execute OS detection will have a permission to execute nmap with the '-O' parameter. In other hand, if a role doesn't have a permission that define the '-sV' command, users assigned to that role cannot do detection of service's versions.

The better way to find this option inside the nmap command line is comparing it with regular expressions. There are advantages to use regular expressions to indentify parts of a command. The permission definition can me written in an XML file (like options and profiles), and it can be extended by the user. For example, if a user want to create a new permission definition, He/she can easily do it by editing the security.xml and put inside it the properly regular expression associated with that permission.

Other important thing that is important to think is about how umit will handle the permissions order in each role. I think that the best way to do it is 'chaining' all permissions and categorize it by defining a priority order. This way, umit will work like a 'command firewall', filtering the options to allow or deny the command execution.

I'm still thinking if the best way to store user roles is in XML files or a database. I have this issue to store users too. I'll realize tests and researches about security issues in each case.

Next week will be time to implement my thoughts and test it. Let's roll in the first official GSoC week. Here we go!

From: UmitWeb POST

Wednesday, May 23, 2007

Umit as the official Nmap Frontend

For those of you who has been following the Umit development, running it from a working copy of its repository, you may have noted that the interface has changed a little bit, and it feel cleaner now. Also, I hope you didn't notice the Crash Report window that is shown when Umit die with an uncatch exception caused by an alien error.

These modifications will feature the next Umit version, which is been integrated to Nmap this month, and soon will be launched for testing. This new is worth a post here because Umit has reached again one more milestone, and the quantity of users which will use Umit will increase A LOT after that, leaving us with a good user base for testing and giving us feedback with sugestions, and inspiring us on making an even better tool to make your work faster every day.

Soon, Umit will feature brand new features like UmitMapper, NetworkInventory, Profile/Wizard Editor, NSE Facilitator, UmitWeb, and whole load of features intended to make you waste less time working and more time with your familly. That's our goal!

So, stay tunned for the next Nmap release, give it a try and let us know your thoughts about it, sending us a bug report[1] if you find a bug or an email[2] if you just want to give us some feedback or sugestion about the tool.


[1] - http://sourceforge.net/tracker/?group_id=142490&atid=752647
[2] - My e-mail is py.adriano at that google mail that we all love ;-)