How to use socketpath in gvm-cli


#1

I was having the same problem, and reading the post accepted as an answer, thought it was done, but if you put the authentication xml in the command line, it will probably work. That is, something like: gvm-cli socket --socketpath=/var/run/openvasmd.sock --xml “admin_useradmin_password<start_task task_id=‘6c6ea627-a908-4129-9ad9-dfce72f4609f’/>”

I’ve done a create_target that wasy as well. The other thing I’ve found is that you have to be root, and you need to put in the socketpath. I installed mine from the Ubuntu Repo, so there may be differences, but those things worked for me (after a lot of head banging)


Authentication failed with gvm-cli
#2

Hi,

the socket connection type should be used for GSE based installations usually. The --socketpath argument must point to the socket provided by gvmd/openvasmd. We don’t have this path under control and different distributions use different paths. See for example the following topic

The other connection types are mostly for GOS 3.1 (TLS) and GOS 4 (SSH) on GSMs .

You need normal unix file permissions to be able to access the unix socket of gvmd/openvasmd. Therefore you can adjust the permissions, user and group of the socket via gvmd/openvasmd parameters. You should NOT run any python script as root user only to avoid caring about file permission settings.

We are currently in a process of writing (better) user documentation for gvm-tools. See https://gvm-tools.readthedocs.io/en/latest/ for a first draft.


#3

Is there a way to control the permissions of the socket at server start? It seems every time the service restarts, the socket comes up with root:root access. It can be changed, but it seems like I would have to put a “sudo chown” at the top before I ran scripts, or run them as root, as my update script restarts the service daily.


#4

gvmd/openvasmd MUST NOT run as root. You should create a separate user and run it with adjusted permissions.

For setting the unix socket permissions please take a look at gvmd --help

  --listen-owner=<string>                      Owner of the unix socket
  --listen-group=<string>                      Group of the unix socket
  --listen-mode=<string>                       File mode of the unix socket

#5

Thanx for the pointer, took a couple of tries and reading the comments int he init.d file, but got it. On a side note, first, let me say a huge thank you to all who have made Greenbone/OpenVAS what it is for the community. I wanted to get that out of the way before I commented that I always find it amusing when something MUST NOT be run the way it defaults to run. I don’t disagree with you, that it should not run as root, but the install does nothing to stop it, and you have to have a little skill and do some digging to get there.


#6

Thanks for your feedback!

It’s a general security advice not to run any daemon as root user. In nearly all cases it isn’t necessary at all. Most of the time it is a misconfiguration of permissions if somebody has to run a daemon as root.

We as Greenbone can’t do much about it. We are not packaging GSE for any distribution besides Greenbone OS. I’ve added a check for gvm-tools but don’t think something like this should be included into the daemons.