[BUG] Users with create permissions cannot scan for devices, only superusers can

[joshuafhiggins]

The bug

I'm not sure if this is intentional for security, but I would assume that network scanning to add a device is an alternative to manual creation and should have the same permission level.

The OS that UpSnap is running on

Ubuntu 24.04

Version of UpSnap

5.2.7

Your docker-compose.yml content

services:
  upsnap:
    container_name: upsnap
    image: ghcr.io/seriousm4x/upsnap:5 # images are also available on docker hub: seriousm4x/upsnap:5
    network_mode: host
    restart: unless-stopped
    volumes:
      - ./data:/app/pb_data
    # # To use a non-root user, create the mountpoint first (mkdir data) so that it has the right permission.
    # user: 1000:1000
    environment:
       - TZ=America/New_York # Set container timezone for cron schedules
    #   - UPSNAP_INTERVAL=*/10 * * * * * # Sets the interval in which the devices are pinged
    #   - UPSNAP_SCAN_RANGE=192.168.1.0/24 # Scan range is used for device discovery on local network
    #   - UPSNAP_SCAN_TIMEOUT=500ms # Scan timeout is nmap's --host-timeout value to wait for devices (https://nmap.org/book/man-performance.html)
    #   - UPSNAP_PING_PRIVILEGED=true # Set to false if you don't have root user permissions
    #   - UPSNAP_WEBSITE_TITLE=Custom name # Custom website title
    # # dns is used for name resolution during network scan
    # dns:
    #   - 192.18.0.1
    #   - 192.18.0.2
    # # you can change the listen ip:port inside the container like this:
    # entrypoint: /bin/sh -c "./upsnap serve --http 0.0.0.0:5000"
    # healthcheck:
    #   test: curl -fs "http://localhost:5000/api/health" || exit 1
    #   interval: 10s
    # # or install custom packages for shutdown
    # entrypoint: /bin/sh -c "apk update && apk add --no-cache <YOUR_PACKAGE> && rm -rf /var/cache/apk/* && ./upsnap serve --http 0.0.0.0:8090"

Reproduction steps

1. Create a new user with create permissions
2. Login with said user
3. Try to scan for devices

Additional information

I am willing to develop a fix for this.

[invario]

I'm not the author, but am interested in this issue. By user, I don't see a non-root user configured in your docker-compose.yml. Can you provide more detail about your exact setup?

[joshuafhiggins]

I'm not the author, but am interested in this issue. By user, I don't see a non-root user configured in your docker-compose.yml. Can you provide more detail about your exact setup?

I mean superusers in the context of PocketBase, the superuser is the first user created when initially setting up the container.

[invario]

Sorry, I'm not following what you mean. I'm completely unfamiliar with PocketBase.

I can tell you that from working on Docker and looking at UpSnap and the needed capabilities that nmap, which is responsible for the network scanning functionality, requires NET_RAW capability, and because it is a separate binary, it either needs to have setcap cap_net_raw=+ep run on it during the image build and the container can't have no-new-privileges set...or else the Docker user needs to be root.

[joshuafhiggins]

The network scans work fine normally and in my container I have given it host network access:

    network_mode: host

The problem is for other users created on UpSnap that have the ability to create devices can't run network scans.

Example of what I mean by superuser: https://pocketbase.io/docs/#:~:text=And%20that%27s%20it,REST%2Dish%20API

[invario]

OH! I never even utilized that functionality since I'm a solo user... Thanks for the info; I'd like to look into this too.

[joshuafhiggins]

This line is the problem specifically in backend/pb/pb.go

se.Router.GET("/api/upsnap/scan", HandlerScan).Bind(apis.RequireSuperuserAuth())

[invario]

Ah, so that's an easy "fix" then. I wonder what the reason is then.