Nmap Device Tracker: solution

old_fogey · September 21, 2018, 12:42pm

As a new user of Home Assistant I set it up on Armbian under a python3 virtual environment. I had difficulties with the nmap device tracker, but none of the similar topics on here explained the issue that was affecting me so as it seemed it might affect others I thought I’d post my issue and solution here.

Issue: nmap on the command line e.g. “nmap -sn --host-timeout 10s 192.168.1.0/24” was detecting all hosts on the LAN, but device tracker was seeing only a small proportion of them

Problem: I was logged in as ‘root’ to test the nmap command. When root user, nmap with those options uses ICMP ‘ping’. The same command run under user ‘homeassistant’ who does not have root privileges does not use ICMP ping and therefore misses all hosts that do not respond to TCP SYN on port 80, which happened to be many devices. (Trying nmap with the ‘-privileges’ option as user homeassistant gave an error ‘dnet: failed to open device… QUITTING’.)

My solution (YMMV): is to set root-uid bit on /usr/bin/nmap (chomd u+s /usr/bin/nmap). When run under user ‘homeassistant’ nmap then gives a warning about a security flaw, but then proceeds to identify all hosts properly.

YMMV as there are certainly be other solutions to using nmap functionality without exposing the security flaw. The simplest might be to use ‘ping’ tracker instead of ‘nmap’, but as the IP address leases are not all reserved that isn’t a reliable option in my case. nmap options available to non-root users that get nearly all of the hosts to respond require probing on many ports per IP address and take several minutes to complete on my network (roughly 30-50 active hosts).

Tinkerer · September 21, 2018, 6:58pm

Alternatively, see the instructions at the bottom of the component page to add the Linux capabilities flags to nmap.

nickrout · September 22, 2018, 11:36pm

suid root is a security risk AFAIK.

old_fogey · September 23, 2018, 1:30pm

Hi tinkerer, Thanks for the suggestion - perhaps I should have made clear though, I tried that first of course but it didn’t work for me (for reasons which I don’t claim to understand). To be specific, this is what I tried:

As root, I used setcap and checked that getcap /usr/bin/nmap returned:
/usr/bin/nmap = cap_net_bind_service,cap_net_admin,cap_net_raw+eip
WIth no setuid I tried nmap -sn 192.168.1.0/24 as homeassistant user
nmap reported 19 hosts up
I then added setuid to nmap and as root tried again
nmap reported 42 hosts up.

As in the original post YMMV of course, noting I am using Armbian stretch running homeassistant in a python3 venv .

Tinkerer · September 23, 2018, 6:38pm

That’s probably because you missed the rest of the instructions there, and forgot to add --privileged to the nmap command line

old_fogey · September 23, 2018, 10:42pm

That’s certainly true. Either doing that, or setting the NMAP_PRIVILEGED environment variable gave the “dnet: error” as per the original issue I was trying to overcome.