search

fkie-cad / fact_extractor

Standalone Utility for FACT-like extraction
GNU General Public License v3.0
80 stars 31 forks source link

Question: is privileged mode required? #97

Closed Oren-i closed 1 year ago

Oren-i commented 1 year ago

In the README, there is an example on how to run it using privileged mode, sharing the /dev folder.

Is this required? I mean, in case fact_extractor is not run with privileges, there would be limitations?

jstucke commented 1 year ago

Is this required?

No, the extractor should work without privileged mode.

in case fact_extractor is not run with privileges, there would be limitations?

If I remember correctly, only the "generic_fs" extraction plugin needs privileges in order to extract file systems (i.e. mount them). Without it, extraction of the following types won't work:

MIME_PATTERNS = [
    'filesystem/btrfs', 'filesystem/cramfs', 'filesystem/dosmbr', 'filesystem/ext2', 'filesystem/ext3',
    'filesystem/ext4', 'filesystem/f2fs', 'filesystem/fat', 'filesystem/hfs', 'filesystem/jfs', 'filesystem/minix',
    'filesystem/ntfs', 'filesystem/reiserfs', 'filesystem/romfs', 'filesystem/udf', 'filesystem/xfs', 'generic/fs',
]

The extractor shouldn't crash, though. The extraction should just be unsuccessful.

dgutson commented 1 year ago

IIRC there is a way of mounting fs without root, eg with the udisks2 package or alike.

jstucke commented 1 year ago

IIRC there is a way of mounting fs without root, eg with the udisks2 package or alike.

Did you get it to work inside a docker container? I tried once but with no success. It would be great it we could get rid of the need for privileged mode.

dgutson commented 1 year ago

Never tried inside a container. @Oren-i ?

Oren-i commented 1 year ago

Thanks @jstucke. I tried to use udisks2 but it would not work, as it requires dbus, and I could not get it to work correctly inside the ubuntu docker image.