Bug 254632
| Summary: | security/py-ospd-openvas: Set PATH prior to startup, run daemon as root | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Eirik Oeverby <ltning-freebsd> | ||||
| Component: | Individual Port(s) | Assignee: | Jose Alonso Cardenas Marquez <acm> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Only Me | Flags: | bugzilla:
maintainer-feedback?
(acm) |
||||
| Priority: | --- | ||||||
| Version: | Latest | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
did you try scanning with gvm user? (In reply to Jose Alonso Cardenas Marquez from comment #1) Yes, but you need to be root for nmap and friends to run. It may be possible to overcome this with the correct mix of sysctls, but that would still be a problem when running from within a jail, for instance. Either way, if that is the expected mode of use, it should be documented how to make it work. Hi, I'm working for update openvas to 21.4.0. Almost, everything is ready but I found some socket connection problems. I hope fix it as soon as possible for commit my changes For other side, I was testing the problem with PATH and it is not neccesary be defined into rc scripts. Everything works without problems Scanning problems are solved add gvm user to sudoers. Look at: https://github.com/greenbone/ospd-openvas A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=dc5371babb9ecb0effe15ece16356e1bb34a2206 commit dc5371babb9ecb0effe15ece16356e1bb34a2206 Author: Jose Alonso Cardenas Marquez <acm@FreeBSD.org> AuthorDate: 2021-06-18 07:02:32 +0000 Commit: Jose Alonso Cardenas Marquez <acm@FreeBSD.org> CommitDate: 2021-06-18 07:11:58 +0000 security/gvm: Update to 21.4.0 The following ports part of security gvm were updated security/gvmd: Update to 21.4.0 security/gvm-libs: Update to 21.4.0 security/openvas: Update to 21.4.0 security/py-ospd-openvas: Update to 21.4.0 security/py-ospd: Update to 21.4.0 security/greenbone-security-assistant: Update to 21.4.0 security/py-python-gvm: Update to 21.5.2 security/py-gvm-tools: Update to 21.6.0 Notable Changes in this Release - All components and the feed support CVSSv3/CVSSv3.1 - GSA contains a new calculator for these CVSS versions - Rework of the login page in GSA to have a better entry point into our software - Dropped support for Internet Explorer - Dropped support for Microsoft Edge <= 18 - Removed auto false positive feature - Removed GMP scanner support - Dropped dynamic severity classes - Removed support for Python 3.5 and lower PR: 254630 254632 Reported by: Eirik Oeverby <ltning-freebsd at anduin.net> security/greenbone-security-assistant/Makefile | 5 +- security/greenbone-security-assistant/distinfo | 10 +- security/gvm-libs/Makefile | 4 +- security/gvm-libs/distinfo | 6 +- security/gvm-libs/files/patch-boreas_ping.c | 128 ++++++++------------- security/gvm-libs/pkg-plist | 21 ++-- security/gvm/Makefile | 2 +- security/gvm/files/pkg-message.in | 32 ++++-- security/gvm/pkg-descr | 12 ++ security/gvmd/Makefile | 10 +- security/gvmd/distinfo | 6 +- .../gvmd/files/patch-src_manage_migrators.c (new) | 27 +++++ security/gvmd/files/patch-src_manage_sql.c | 15 ++- security/gvmd/pkg-plist | 10 +- security/openvas/Makefile | 2 +- security/openvas/distinfo | 6 +- .../openvas/files/patch-nasl_nasl_packet_forgery.c | 34 ++++-- .../files/patch-nasl_nasl_packet_forgery_v6.c | 28 +++-- .../files/patch-tools_greenbone-nvt-sync.in | 26 ++++- security/openvas/pkg-plist | 9 +- security/py-gvm-tools/Makefile | 2 +- security/py-gvm-tools/distinfo | 6 +- security/py-ospd-openvas/Makefile | 2 +- security/py-ospd-openvas/distinfo | 6 +- security/py-ospd-openvas/files/ospd_openvas.in | 8 +- security/py-ospd-openvas/pkg-plist | 46 ++++---- security/py-ospd/Makefile | 2 +- security/py-ospd/distinfo | 6 +- security/py-python-gvm/Makefile | 2 +- security/py-python-gvm/distinfo | 6 +- security/py-python-gvm/files/patch-setup.py | 74 ++++++++---- 31 files changed, 334 insertions(+), 219 deletions(-) Hi, I have committed a 21.04 branch of gvm to ports tree.Also I applied your patch file. I was doing some tests with running openvas with sudo (called/executed from ospd_openvas) and ospd_openvas failed detecting scan proccess (daemon.py) and scan proccess status was marked like INTERRUPTED. I don't know what is the main reason. I'll try to do more tests when I have free time. For this reason I have added option for run ospd_openvas like root from rc.conf (look at security/gvm/pkg-message.in). It needs run redis using a root user too Thanks for your PR |
Created attachment 223675 [details] Patch for rc.d/ospd_openvas Two items: - ospd-openvas expects to find various binaries in PATH, so this should be set to include /usr/local/(bin|sbin) explicitly. If there's a better way to do this, feel free to substitute. - Scanning is impossible unless run as root. Alternative suggestion: setuid on binary. I *think* it is run using sudo on Linux, but haven't been able to fully make heads&tails of it Attached patch does both.