[csw-buildfarm] Nmap access to Solaris build farm

[David Fifield]

On Thu, Sep 29, 2011 at 11:42:36AM +0200, Dagobert Michelsen wrote:
> Hi David,
> 
> Am 29.09.2011 um 00:05 schrieb David Fifield:
> > On Wed, Sep 28, 2011 at 02:57:05PM -0700, David Fifield wrote:
> >> In http://seclists.org/nmap-dev/2011/q3/646, you offered to let us have
> >> access to the Solaris build farm for the purpose of testing Nmap. We'd
> >> like to accept the offer.
> >> 
> >> I've seen the page at
> >> http://www.opencsw.org/extend-it/contribute-packages/build-standards/build-machines/.
> >> Here is an SSH public key. If you need a user name, "nmap" will do. Do
> >> you need anything else?
> > 
> > I forgot to add: does build farm access include root access? Most
> > non-trivial testing of Nmap requires access to raw sockets.
> 
> Not by default. What do you need? Will an internal zone without
> connection to the internet (only via the login server) suffice? We are
> a bit short on official IP adresses, but if you need one I can set up
> a special zone with root access just for nmap and a dedicated network
> interface.

It doesn't necessarily have to have raw sockets to the Internet; just
being able to scan internal IPs would be okay.

We had trouble with another Solaris zone because it didn't have the
/dev/ip device. I found this documentation:

http://docs.huihoo.com/opensolaris/solaris-containers-resource-management-and-solaris-zones/html/p87.html
        In general, all applications can run in a non-global zone.
        However, the following types of applications might not be
        suitable for this environment:
        * The few applications dependent upon certain devices that do
          not exist in a non-global zone, such as /dev/kmem or /dev/ip.

I think, in short, that we need the DLPI interface; i.e., the "snoop"
command would have to work. From what I read, that would expose even
traffic destined to other zones, so a dedicated network interface is a
good idea if that's easy to do.

David Fifield