Bug 254632 - security/py-ospd-openvas: Set PATH prior to startup, run daemon as root
Summary: security/py-ospd-openvas: Set PATH prior to startup, run daemon as root
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Jose Alonso Cardenas Marquez
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-03-28 20:55 UTC by Eirik Oeverby
Modified: 2021-06-18 07:33 UTC (History)
0 users

See Also:
bugzilla: maintainer-feedback? (acm)


Attachments
Patch for rc.d/ospd_openvas (534 bytes, text/plain)
2021-03-28 20:55 UTC, Eirik Oeverby
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Eirik Oeverby 2021-03-28 20:55:50 UTC
Created attachment 223675 [details]
Patch for rc.d/ospd_openvas

Two items:
- ospd-openvas expects to find various binaries in PATH, so this should be set to include /usr/local/(bin|sbin) explicitly. If there's a better way to do this, feel free to substitute.
- Scanning is impossible unless run as root. Alternative suggestion: setuid on binary. I *think* it is run using sudo on Linux, but haven't been able to fully make heads&tails of it

Attached patch does both.
Comment 1 Jose Alonso Cardenas Marquez freebsd_committer 2021-04-16 17:34:42 UTC
did you try scanning with gvm user?
Comment 2 Eirik Oeverby 2021-04-16 17:46:23 UTC
(In reply to Jose Alonso Cardenas Marquez from comment #1)
Yes, but you need to be root for nmap and friends to run.

It may be possible to overcome this with the correct mix of sysctls, but that would still be a problem when running from within a jail, for instance. Either way, if that is the expected mode of use, it should be documented how to make it work.
Comment 3 Jose Alonso Cardenas Marquez freebsd_committer 2021-06-15 23:33:20 UTC
Hi, I'm working for update openvas to 21.4.0. Almost, everything is ready but I found some socket connection problems. I hope fix it as soon as possible for commit my changes

For other side, I was testing the problem with PATH and it is not neccesary be defined into rc scripts. Everything works without problems

Scanning problems are solved add gvm user to sudoers. Look at:

https://github.com/greenbone/ospd-openvas
Comment 4 commit-hook freebsd_committer 2021-06-18 07:12:24 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=dc5371babb9ecb0effe15ece16356e1bb34a2206

commit dc5371babb9ecb0effe15ece16356e1bb34a2206
Author:     Jose Alonso Cardenas Marquez <acm@FreeBSD.org>
AuthorDate: 2021-06-18 07:02:32 +0000
Commit:     Jose Alonso Cardenas Marquez <acm@FreeBSD.org>
CommitDate: 2021-06-18 07:11:58 +0000

    security/gvm: Update to 21.4.0

    The following ports part of security gvm were updated

    security/gvmd: Update to 21.4.0
    security/gvm-libs: Update to 21.4.0
    security/openvas: Update to 21.4.0
    security/py-ospd-openvas: Update to 21.4.0
    security/py-ospd: Update to 21.4.0
    security/greenbone-security-assistant: Update to 21.4.0
    security/py-python-gvm: Update to 21.5.2
    security/py-gvm-tools: Update to 21.6.0

    Notable Changes in this Release

    - All components and the feed support CVSSv3/CVSSv3.1
    - GSA contains a new calculator for these CVSS versions
    - Rework of the login page in GSA to have a better entry point into our software
    - Dropped support for Internet Explorer
    - Dropped support for Microsoft Edge <= 18
    - Removed auto false positive feature
    - Removed GMP scanner support
    - Dropped dynamic severity classes
    - Removed support for Python 3.5 and lower

    PR:             254630 254632
    Reported by:    Eirik Oeverby <ltning-freebsd at anduin.net>

 security/greenbone-security-assistant/Makefile     |   5 +-
 security/greenbone-security-assistant/distinfo     |  10 +-
 security/gvm-libs/Makefile                         |   4 +-
 security/gvm-libs/distinfo                         |   6 +-
 security/gvm-libs/files/patch-boreas_ping.c        | 128 ++++++++-------------
 security/gvm-libs/pkg-plist                        |  21 ++--
 security/gvm/Makefile                              |   2 +-
 security/gvm/files/pkg-message.in                  |  32 ++++--
 security/gvm/pkg-descr                             |  12 ++
 security/gvmd/Makefile                             |  10 +-
 security/gvmd/distinfo                             |   6 +-
 .../gvmd/files/patch-src_manage_migrators.c (new)  |  27 +++++
 security/gvmd/files/patch-src_manage_sql.c         |  15 ++-
 security/gvmd/pkg-plist                            |  10 +-
 security/openvas/Makefile                          |   2 +-
 security/openvas/distinfo                          |   6 +-
 .../openvas/files/patch-nasl_nasl_packet_forgery.c |  34 ++++--
 .../files/patch-nasl_nasl_packet_forgery_v6.c      |  28 +++--
 .../files/patch-tools_greenbone-nvt-sync.in        |  26 ++++-
 security/openvas/pkg-plist                         |   9 +-
 security/py-gvm-tools/Makefile                     |   2 +-
 security/py-gvm-tools/distinfo                     |   6 +-
 security/py-ospd-openvas/Makefile                  |   2 +-
 security/py-ospd-openvas/distinfo                  |   6 +-
 security/py-ospd-openvas/files/ospd_openvas.in     |   8 +-
 security/py-ospd-openvas/pkg-plist                 |  46 ++++----
 security/py-ospd/Makefile                          |   2 +-
 security/py-ospd/distinfo                          |   6 +-
 security/py-python-gvm/Makefile                    |   2 +-
 security/py-python-gvm/distinfo                    |   6 +-
 security/py-python-gvm/files/patch-setup.py        |  74 ++++++++----
 31 files changed, 334 insertions(+), 219 deletions(-)
Comment 5 Jose Alonso Cardenas Marquez freebsd_committer 2021-06-18 07:33:00 UTC
Hi, I have committed a 21.04 branch of gvm to ports tree.Also I applied your patch file. 

I was doing some tests with running openvas with sudo (called/executed from ospd_openvas) and ospd_openvas failed detecting scan proccess (daemon.py) and scan proccess status was marked like INTERRUPTED. I don't know what is the main reason. I'll try to do more tests when I have free time. For this reason I have added option for run ospd_openvas like root from rc.conf (look at security/gvm/pkg-message.in). It needs run redis using a root user too

Thanks for your PR