nmap does not run as root

Hi!

I've some very strange problem. nmap does work when invoked as an ordinary
user but it does _not_ when invoked as _root_:

root # nmap localhost

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-12-23 09:45 CET
Note: Host seems down. If it is really up, but blocking our ping probes, try
-P0
Nmap run completed -- 1 IP address (0 hosts up) scanned in 36.463 seconds
# su someuser
# nmap localhost

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-12-23 09:46 CET
Interesting ports on localhost (127.0.0.1):
(The 1634 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh

Nmap run completed -- 1 IP address (1 host up) scanned in 0.401 seconds


It stops working for ordinary users as well if I set SUID to nmap.

Any idea?
Timo

On 2004-01-08, Timo Nentwig <(E-Mail Removed)> wrote:
> Hi!
>
> I've some very strange problem. nmap does work when invoked as an ordinary
> user but it does _not_ when invoked as _root_:
>
> root # nmap localhost

I suggest you post the following. This may shed light on what's
happening.

strace -o /tmp/trace nmap localhost
tail -30 /tmp/trace

> Starting nmap 3.30

What distribution are you running. The latest is 3.48 at least, although
nmap does increment quite quickly.

Perhaps an upgrade would help. Check the bug tracking for your
distribution.

--
Cameron Kerr
(E-Mail Removed) : http://nzgeeks.org/cameron/
Empowered by Perl!

Cameron Kerr wrote:

> strace -o /tmp/trace nmap localhost
> tail -30 /tmp/trace

Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-01-09 09:14 CET
Note: Host seems down. If it is really up, but blocking our ping probes, try
-P0
Nmap run completed -- 1 IP address (0 hosts up) scanned in 36.800 seconds

# tail -30 /tmp/trace
select(6, [5], NULL, NULL, {0, 20000}) = 0 (Timeout)
gettimeofday({1073636125, 709687}, NULL) = 0
select(6, [5], NULL, NULL, {0, 20000}) = 0 (Timeout)
gettimeofday({1073636125, 729704}, NULL) = 0
select(6, [5], NULL, NULL, {0, 20000}) = 0 (Timeout)
gettimeofday({1073636125, 749696}, NULL) = 0
select(6, [5], NULL, NULL, {0, 20000}) = 0 (Timeout)
gettimeofday({1073636125, 769698}, NULL) = 0
select(6, [5], NULL, NULL, {0, 20000}) = 1 (in [5], left {0, 3000})
recvfrom(5, "\0\0\0\0\0\0\0\0\0\0\0\0\10\0E\0\0|\271A@\0@\6\20 38\177"...,
104, MSG_TRUNC, {sa_family=AF_PACKET, proto=0x800, if1,
pkttype=PACKET_OUTGOING, addr(0)={772, }, [20]) = 138
gettimeofday({1073636125, 788734}, NULL) = 0
select(6, [5], NULL, NULL, {0, 20000}) = 1 (in [5], left {0, 20000})
recvfrom(5, "\0\0\0\0\0\0\0\0\0\0\0\0\10\0E\0\0|\271A@\0@\6\20 38\177"...,
104, MSG_TRUNC, {sa_family=AF_PACKET, proto=0x800, if1,
pkttype=PACKET_HOST, addr(0)={772, }, [20]) = 138
ioctl(5, 0x8906, 0xbfff5f50) = 0
gettimeofday({1073636125, 788922}, NULL) = 0
gettimeofday({1073636125, 788945}, NULL) = 0
close(-1) = -1 EBADF (Bad file descriptor)
close(3) = 0
close(4) = 0
close(5) = 0
gettimeofday({1073636125, 789154}, NULL) = 0
time(NULL) = 1073636125
write(1, "Note: Host seems down. If it is "..., 81) = 81
write(1, "Nmap run completed -- 1 IP addre"..., 74) = 74
brk(0) = 0x80f6000
brk(0) = 0x80f6000
brk(0x80ea000) = 0x80ea000
brk(0) = 0x80ea000
munmap(0x4001a000, 4096) = 0
exit_group(0) = ?

Sure, this will help you? The entire trace is ~500KiB large...

>> Starting nmap 3.30
>
> What distribution are you running. The latest is 3.48 at least, although
> nmap does increment quite quickly.

SuSE9. I build 3.48 manually now. A manually build version once worked on
SuSE 8.2 BTW.

On 2004-01-09, Timo Nentwig <(E-Mail Removed)> wrote:
> Cameron Kerr wrote:
>
>> strace -o /tmp/trace nmap localhost
>> tail -30 /tmp/trace

> Sure, this will help you? The entire trace is ~500KiB large...

Hmmm, it seems not to come up with any system call errors that would be
suspect.

--
Cameron Kerr
(E-Mail Removed) : http://nzgeeks.org/cameron/
Empowered by Perl!

Rootkit perhaps?