Bug 254632

Summary: security/py-ospd-openvas: Set PATH prior to startup, run daemon as root
Product: Ports & Packages Reporter: Eirik Oeverby <ltning-freebsd>
Component: Individual Port(s)Assignee: Jose Alonso Cardenas Marquez <acm>
Status: Open ---    
Severity: Affects Only Me Flags: bugzilla: maintainer-feedback? (acm)
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
Patch for rc.d/ospd_openvas none

Description Eirik Oeverby 2021-03-28 20:55:50 UTC
Created attachment 223675 [details]
Patch for rc.d/ospd_openvas

Two items:
- ospd-openvas expects to find various binaries in PATH, so this should be set to include /usr/local/(bin|sbin) explicitly. If there's a better way to do this, feel free to substitute.
- Scanning is impossible unless run as root. Alternative suggestion: setuid on binary. I *think* it is run using sudo on Linux, but haven't been able to fully make heads&tails of it

Attached patch does both.
Comment 1 Jose Alonso Cardenas Marquez freebsd_committer 2021-04-16 17:34:42 UTC
did you try scanning with gvm user?
Comment 2 Eirik Oeverby 2021-04-16 17:46:23 UTC
(In reply to Jose Alonso Cardenas Marquez from comment #1)
Yes, but you need to be root for nmap and friends to run.

It may be possible to overcome this with the correct mix of sysctls, but that would still be a problem when running from within a jail, for instance. Either way, if that is the expected mode of use, it should be documented how to make it work.