View Issue Details

IDProjectCategoryView StatusLast Update
0009085Kali LinuxKali Package Bugpublic2025-02-03 15:24
Reportervhong Assigned Tosteev  
PrioritynormalSeverityminorReproducibilityhave not tried
Status assignedResolutionopen 
Summary0009085: nmap requires NET_ADMIN capability in Docker containers
Description

Hi,
https://gitlab.com/kalilinux/packages/nmap/-/commit/b6f4293f7f9c4099e38e5958ec37075c9e6cfdf4 added a postinit script for nmap that sets the capability for the nmap command:

setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip /usr/lib/nmap/nmap;

This causes an issue with Docker containers that do not have NET_ADMIN capabilities. Reproduction steps:

~ % docker run --rm -it kalilinux/kali-last-release@sha256:5304a4e89ddcaa3bf4e5da32b0bde305b1603d59911c7fdcd3f99e91318fb739 bash
┌──(root㉿7c4300e0e0fb)-[/]
└─# apt update && apt install -y libcap2-bin nmap
<truncated>

┌──(root㉿7c4300e0e0fb)-[/]
└─# nmap -v
/usr/bin/nmap: 6: exec: /usr/lib/nmap/nmap: Operation not permitted

To fix this:

┌──(root㉿7c4300e0e0fb)-[/]
└─# setcap cap_net_raw,cap_net_bind_service+eip /usr/lib/nmap/nmap

┌──(root㉿7c4300e0e0fb)-[/]
└─# nmap -v
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-30 14:39 UTC
Read data files from: /usr/share/nmap
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.03 seconds
           Raw packets sent: 0 (0B) | Rcvd: 0 (0B)

Here are the output of capsh inside my Docker container:

┌──(root㉿7c4300e0e0fb)-[/]
└─# capsh --print
Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Ambient set =
Current IAB: !cap_dac_read_search,!cap_linux_immutable,!cap_net_broadcast,!cap_net_admin,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_lease,!cap_audit_control,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read,!cap_perfmon,!cap_bpf,!cap_checkpoint_restore
Securebits: 00/0x0/1'b0 (no-new-privs=0)
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
 secure-no-ambient-raise: no (unlocked)
uid=0(root) euid=0(root)
gid=0(root)
groups=0(root)
Guessed mode: HYBRID (4)

Activities

kali-bugreport

kali-bugreport

2025-01-31 20:06

reporter   ~0020311

Related? https://gitlab.com/kalilinux/packages/nmap/-/issues/7

vhong

vhong

2025-02-03 10:46

reporter   ~0020314

Yes, that issue seems related. I believe https://gitlab.com/kalilinux/packages/nmap/-/issues/7 is the reason for the revert commit: Revert "Add capabilities to nmap". And this current issue is re-introduced in commit Add capabilities, take 2.

steev

steev

2025-02-03 15:24

manager   ~0020315

Correct, it does. We probably should have communicated it better that we expect people to run docker containers as privileged or the specific capabilities now. One of the big issues with containers is that there is no easy way to tell software that it is running inside a container (kinda the point of them, they are not supposed to know) so we can not do any sort of check during installation before applying the changes.

Issue History

Date Modified Username Field Change
2025-01-30 14:41 vhong New Issue
2025-01-31 17:37 g0tmi1k Assigned To => steev
2025-01-31 17:37 g0tmi1k Status new => assigned
2025-01-31 20:06 kali-bugreport Note Added: 0020311
2025-02-03 10:46 vhong Note Added: 0020314
2025-02-03 15:24 steev Note Added: 0020315