Bug 254632 - security/py-ospd-openvas: Set PATH prior to startup, run daemon as root
Summary: security/py-ospd-openvas: Set PATH prior to startup, run daemon as root
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Jose Alonso Cardenas Marquez
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-03-28 20:55 UTC by Eirik Oeverby
Modified: 2021-04-16 17:46 UTC (History)
0 users

See Also:
bugzilla: maintainer-feedback? (acm)


Attachments
Patch for rc.d/ospd_openvas (534 bytes, text/plain)
2021-03-28 20:55 UTC, Eirik Oeverby
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Eirik Oeverby 2021-03-28 20:55:50 UTC
Created attachment 223675 [details]
Patch for rc.d/ospd_openvas

Two items:
- ospd-openvas expects to find various binaries in PATH, so this should be set to include /usr/local/(bin|sbin) explicitly. If there's a better way to do this, feel free to substitute.
- Scanning is impossible unless run as root. Alternative suggestion: setuid on binary. I *think* it is run using sudo on Linux, but haven't been able to fully make heads&tails of it

Attached patch does both.
Comment 1 Jose Alonso Cardenas Marquez freebsd_committer 2021-04-16 17:34:42 UTC
did you try scanning with gvm user?
Comment 2 Eirik Oeverby 2021-04-16 17:46:23 UTC
(In reply to Jose Alonso Cardenas Marquez from comment #1)
Yes, but you need to be root for nmap and friends to run.

It may be possible to overcome this with the correct mix of sysctls, but that would still be a problem when running from within a jail, for instance. Either way, if that is the expected mode of use, it should be documented how to make it work.