capcheck

2025-12-06 17:15:38 -08:00 · 2025-09-27 19:48:36 -04:00
parent 46097bb6e8
commit b47df7b33f
4 changed files with 35 additions and 3 deletions
--- a/8
+++ b/8
@@ -65,7 +65,8 @@ RUN addgroup -g 20211 netalertx && \

 RUN apk add --no-cache bash mtr libbsd zip lsblk sudo tzdata curl arp-scan iproute2 \
    iproute2-ss nmap nmap-scripts traceroute nbtscan net-tools net-snmp-tools bind-tools awake \
-    ca-certificates sqlite php83 php83-fpm php83-cgi php83-curl php83-sqlite3 php83-session python3 nginx sudo && \
+    ca-certificates sqlite php83 php83-fpm php83-cgi php83-curl php83-sqlite3 php83-session python3 \
+    nginx sudo libcap  && \
    rm -rf /var/cache/apk/* && \
    rm -f /etc/nginx/http.d/default.conf

@@ -81,6 +82,9 @@ RUN install -d -o netalertx -g netalertx -m 755 ${NETALERTX_API} && \
    sh -c "find ${NETALERTX_APP} -type f \( -name '*.sh' -o -name 'speedtest-cli' \) \
        -exec chmod 750 {} \;"

+# setcap to allow nmap to run without root
+RUN setcap cap_net_raw,cap_net_admin+eip /usr/bin/nmap
+
 #initialize each service with the dockerfiles/init-*.sh scripts, once.
 RUN sh /build/init-nginx.sh && \
    sh /build/init-php-fpm.sh && \
@@ -127,7 +131,7 @@ RUN apk del sudo && \
 RUN rm -Rf /etc/sudoers.d/* /etc/shadow /etc/gshadow /etc/sudoers \
    /lib/apk /lib/firmware  /lib/modules-load.d /lib/sysctl.d /mnt /home/ /root \
    /srv /media && \
-    echo -ne '#!/bin/bash\nexit 0\n' > /usr/bin/sudo && chmod +x /usr/bin/sudo
+    echo -ne '#!/bin/bash\n"$@"\n' > /usr/bin/sudo && chmod +x /usr/bin/sudo



--- a/front/plugins/dhcp_servers/script.py
+++ b/front/plugins/dhcp_servers/script.py
@@ -41,7 +41,7 @@ def main():
    plugin_objects = Plugin_Objects(RESULT_FILE)
    timeoutSec = get_setting_value('DHCPSRVS_RUN_TIMEOUT')

-    nmapArgs = ['sudo', 'nmap', '--script', 'broadcast-dhcp-discover']
+    nmapArgs = ['sudo', 'nmap', '--privileged' '--script', 'broadcast-dhcp-discover']

    try:
        dhcp_probes = 1
--- a/install/alpine-docker/entrypoint.sh
+++ b/install/alpine-docker/entrypoint.sh
@@ -1,5 +1,8 @@
 #!/bin/bash

+# verify container capabilities at startup
+/services/capcheck.sh
+
 # Function to clean up background processes
 cleanup() {
    echo "Caught signal, shutting down services..."
--- a/install/alpine-docker/services/capcheck.sh
+++ b/install/alpine-docker/services/capcheck.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+# check_nmap_caps.sh - Uses a real nmap command to detect missing container
+# privileges and warns the user. It is silent on success.
+
+# Run a fast nmap command that requires raw sockets, capturing only stderr.
+ERROR_OUTPUT=$(nmap --privileged -sS -p 20211 127.0.0.1 2>&1 >/dev/null)
+EXIT_CODE=$?
+
+# If the exit code is exactly 126 AND the error message contains a known permission error...
+if [ "$EXIT_CODE" -eq 126 ] && \
+   echo "$ERROR_OUTPUT" | grep -q -e "Operation not permitted" -e "requires root privileges"
+then
+    # ...then print the detailed warning.
+    echo "⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️" >&2
+    echo "  ATTENTION: This container is running without elevated" >&2
+    echo "             network privileges (NET_RAW/NET_ADMIN)." >&2
+    echo "" >&2
+    echo "  Advanced network tools that require raw socket access," >&2
+    echo "  like 'nmap -sS', will fail." >&2
+    echo "" >&2
+    echo "  To fix this, restart the container with the following flags:" >&2
+    echo "  --cap-add=NET_RAW --cap-add=NET_ADMIN" >&2
+    echo "⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️" >&2
+    exit 1
+fi