Gvmd user management

Mr.blond · August 26, 2019, 7:41am

Use this category only if you have build GSE or components thereof from sources .

Please read About the Greenbone Source Edition (GSE) and About GVM Architecture before posting.

When posting you should provide information about your environment using the following template:

GVM versions

gsa: ('NOT-INSTALLED)
gvm: (‘eenbone Vulnerability Manager 8.0.0
GIT revision a8d8e26f-HEAD’)
**gvm-libs:V10

Environment

**Operating system:debian stretch
**Installation method / source:Compiling source code

Hi I recently compiled and installed the gvmd (V8) and openvas. According to the readme the first (privileged user) should be created via:
“You can create an administrator user with the --create-user option of gvmd:
gvmd --create-user=myuser”

github.com

greenbone/gvmd/blob/abf80014f9df8b1dc85f60c2144407925c8706e7/INSTALL.md

# INSTALLATION INSTRUCTIONS FOR GREENBONE VULNERABILITY MANAGER

Please note: The reference system used by most of the developers is Debian
GNU/Linux 'Stretch' 9. The build might fail on any other system. Also, it is
necessary to install dependent development packages.

IMPORTANT NOTICE: This version changes quite a number of locations
and names compared to the previous version. It is highly recommended to
consider the section "Migrating to Version 8.0", unless you do not have
an old setup on your system.


## Prerequisites for Greenbone Vulnerability Manager

Prerequisites:
* cmake >= 3.0
* glib-2.0 >= 2.42
* gnutls >= 3.2.15
* libgvm_base, libgvm_util, libgvm_osp, libgvm_gmp >= 11.0.0
* PostgreSQL database

This file has been truncated. show original

and I noticed that after the first creation and even after starting the gvmd the --create-user method still succeeds to create admin users upon invocation (which is not secure at all on a very privileged machine).
Am I missing something?
how can I prevent other user creation after the first Admin?

Thanks ahead

Lukas · August 26, 2019, 8:29am

You can´t, this is part of the permission model. Admin can always create other users assign permission and roles to them. You should never expose the admin interface external or to a 3rd party.

As well you can always create new admins in case you loose one admin credential I suggest you learn first about the role based permission model to understand how the internal user and permission handling works.