Permissions issue (can't see reports) after upgrade from 20.08 to 21.4

Hi everyone,

After installing the gvm/openvas updates, and migrating the database to the new schema, I have a situation where reports and their dates are no longer listed in the GSAD interface.

The ‘date’ column is blank when viewing them through the ‘reports’ tab, and the link to the report itself is also missing.

When looking at the ‘tasks’ tab, the tasks show properly, the number of reports is listed, but the ‘Last Report’ column is blank.

Additionally, when looking at the Report Formats, the reports are listed as expected, but the “Trust (Last Verified)” column, for each report, shows “Yes (Invalid Date)”

I did an NVT update and rebuild. Feed Status “Current” for NVT, SCAP, and CERT: " 0211006T0030 Current", and GVMD_DATA shows " 20210930T0908 5 days old"

Any ideas for where to look for a resolution? I don’t see anything obvious in the GVM and related software logs.

Thanks for any advice! :slight_smile:

GVM versions

gsad: % gsad --version
Greenbone Security Assistant 21.4.2

gvmd: % gvmd --version
Greenbone Vulnerability Manager 21.4.3
Manager DB revision 242

openvas-scanner: % openvas --version
OpenVAS 21.4.2
gvm-libs 21.4.2

Environment

Operating system: FreeBSD 12.2-RELEASE r366954 GENERIC
Installation method / source: FreeBSD pkg repository

As I dig in a bit more it appears to be a permissions issue. There is an admin user (which is the feed owner) that is not typically used except for adding and maintaining other users, and a set of admin users that are also part of a superadmin group, so that users in this group can have full shared access to the tasks and reports.

The feed owner can view the dates on the report formats. I added the feed owner to the superadmin group, and it is now able to see the previous reports and their dates. However, none of the other admin users in this group can see the reports - not even the user who ran the task!

The description of this group in the Group/Permission view reads “Group SuperUser has super access to all resources of Group SuperUser”, but if I edit, it then reads

“Group SuperUser has super access to all resources of unknown SuperUser”

So I think this group linkage is not working as it did previously.

Any pointers on how to repair this would be appreciated. I’ve already tried to re-create the group and it’s displaying and behaving exactly the same.

If there is still a way to assign users to a super admin role, that would be fine for my purpose - only users with full access exist on this server. I haven’t yet found documentation on how to add that role to existing users using gvmd.

Thanks!

One more update, probably my last until someone else has an idea regarding this… I added my user to the Super Admin group manually from postgresql.

It’s still the case that my own user, which was previously an “Admin” user, and is now a “Super User”, cannot view the dates and URLs of any of the existing reports.

I’d welcome any ideas for how to resolve this. Dropping the entire database and setting up from scratch would be the last resort.

Thanks!

Hi @mstaudinger and welcome, :grinning:

This is pretty interesting and thank you for the details- let’s see if I’m understanding this right since I’ve used FreeBSD on occasion but not super-familar with it, and hopefully others with a similar setup and configuration or more familiar with the issue can jump in.

It worked until the upgrade. After upgrade:

Dates and links to reports were blank, number of reports showed up, Last Report was blank.

Report Formats has something weird going on with “Yes (Invalid Date)”

Feed owner sees everything correctly

Superadmin sees everything correctly

Some but not all admins are superadmin

None of the admins including those as superadmin can see the reports

An admin user with superadmin privileges cannot see their own reports

Editing description of Group/Permission-

Before editing:

“Group SuperUser has super access to all resources of Group SuperUser”

After editing:

“Group SuperUser has super access to all resources of unknown SuperUser” (my emphasis)

Recreation of the group results in the same behavior.

Adding your user manually from Admin to Super Admin results in less privileges and that user cannot view dates and urls from previously generated reports.

Does the above look right to you? I just want to make sure we’re understanding the issue correctly first before going further.

Thanks!

DeeAnn

1 Like

Hi DeeAnn,

You’ve got most of the details correct but I will clarify a few points. To make things a bit clearer, there are 4 users.

uid 1 is the feed owner, created with the cli during installation. Admin role
uid 2-4 are created by uid 1 with the web ui. Admin role. I use uid 2.
uid 2 created a “special” group SuperUser to share scan sets and results with uid 3,4, and so on. All these users are in the admin role. Not to be confused with the “Super Admin” role. No users were in that role prior to the upgrade. All uids 2-4 could see the scan sets and reports prior to the upgrade.

After the upgrade, only the feed owner could see reports, and dates, and the report format dates. No other user could see these items properly. I migrated uid 2 to the “super admin” role as a test, but it had no effect.

So the the situation with permissions on seeing the dates and reports affected all users except for the feed owner.

As uid 2, after the upgrade, I could see the scan sets, I could start a scan, but could not see any of the previous reports, nor the report for the scan issued after the upgrade.

Hope that helps!

Hi @mstaudinger and thanks for the info. Ok, yep, that’s pretty weird. I’ll see if I can get some more people to look and I’ll let you know. Thanks!

1 Like

I set up a new install on a test box to confirm. Wasn’t able to replicate the issue (this was a new install with 21.4, not an upgrade from 20.08 ). But my time doesn’t currently allow for any more testing of this scenario, so I’ll leave my resolution here in case anyone else runs into this situation.

Wound up deleting ( my ) user, delegating all my items to the global admin user, then re-creating the new group and adding my re-created user to it. I and the other users of that group can now see all the previous tasks and reports. I did not have to re-create the other two users.

The only changes between the previous setup and now are two:

  1. newly created user and group. Perhaps there was a related user or group setting that didn’t migrate properly?
  2. Before, my user had created the super group and added the other users. This time around, the global admin created the super group. Not sure if there’s a functional difference.
2 Likes

Very cool! Thank you for posting the solution, that should help when someone else runs into this. :grinning:

1 Like