I’ll need some clarification about Greenbone and compiling it from source. So my understanding is, that it should not be run under root, except for the openvas-scanner. Furthermore, when compiling from source, by default it is installed under root. Which means that I’ll have to run it as sudo.
So what I’ve been trying to do, to avoid installing and running it under root is the following:
- Install gvm-libs under root, because the openvas-scanner needed it.
- Install openvas-scanner under root, because it says that it should run under root.
- Install gvmd under a user, since this shouldn’t be run as root. This presented some issues that needed to be solved:
I needed to manually create the run directory in the install-path mkdir /home/vagrant/GVM/gvmd/var/run as this is required for the lockfile.
Second problem was, that the openvassd.sock was expected at a different location. This was solved by using a symbolic link sudo ln -s /usr/local/var/run/openvassd.sock /home/vagrant/GVM/gvmd/var/run/
I only have a bad workaround for the third problem, so I’d appreciate it if someone could help me with it. When running gvmd --listen 127.0.0.1 I get the following message in the logfile: pidfile_create: failed to open pidfile: Permission denied
Obviously this could be avoided by running it as sudo, but that’s not the desired way. So what I did is the following: Run it as sudo, so the gvmd.pid file gets created, then change permissions on the pidfile and openvassd.sock to my user sudo chown vagrant:vagrant /usr/local/var/run/gvmd.pid and sudo chown vagrant:vagrant /usr/local/var/run/openvassd.sock then it was also required to change the permissions in the home folder for gvmd, as some new files got created under root by running it with root permissions sudo chown -R vagrant:vagrant /home/vagrant/GVM/gvmd/* After all this, it is possible to run gvmd with the user “vagrant”.
This workaround is really bad, as I need to run gvmd as root once and then change permissions. Is there a better workaround for pidfile_create: failed to open pidfile: Permission denied?
- Install gsa under a user, since this also doesn’t need to run as root. Issue#1:
main: Could not write PID file. The only way I can solve this, is by running it as root. How do I run this as a non-root user?
main: Could not load SSL certificate from /home/vagrant/GVM/gsa/var/lib/gvm/CA/servercert.pem: Failed to open file ‘/home/vagrant/GVM/gsa/var/lib/gvm/CA/servercert.pem’: No such file or directory
main: Could not load private SSL key from /home/vagrant/GVM/gsa/var/lib/gvm/private/CA/serverkey.pem: Failed to open file ‘/home/vagrant/GVM/gsa/var/lib/gvm/private/CA/serverkey.pem’: No such file or directory
This I solved, by creating symbolic links to the key and cert. Is there also another way to do this or would this be acceptable?
So bascially I’d like some help with the bullet point 3+4 and whether this is a good solution to avoid running greenbone under root. I cannot install it through a packet manager, as they are not up-to-date and use beta versions, so compiling from source is the only way.
gsa: Greenbone Security Assistant 8.0.2~git-a33f3d887-gsa-8.0
gvm: Greenbone Vulnerability Manager 8.0.2
GIT revision 21bc2130-gvmd-8.0
Manager DB revision 205
openvas-scanner: GIT revision fb68d69-openvas-scanner-6.0
gvm-libs: git clone -b gvm-libs-10.0 --single-branch https://github.com/greenbone/gvm-libs.git
Operating system: Debian 9
Kernel: Linux debian 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u4 (2019-07-19) x86_64 GNU/Linux
Installation method / source: Source