"This tool must not be run as root user" Any guide on the alternative approaches?

I’m pretty new to OpenVAS but I’ve finally been able to take advantage of the sample scripts to get a really nice wrapper built in. However, I’m running into one final issue.

When trying to use gvm-script, I get the error about running it as root. While I can definitely appreciate the concern about security (I’m a pentester), I’m wondering what are some alternative approaches. I know I can just simply modify the script to avoid making the do_not_run_as_root() call, but I want to implement a solution for my wrapper that’s going to be pretty sustainable.

When creating another user account, I just simply face a bunch of permission errors, but I’m not quite sure where it’s coming from. Here’s what I’ve done.

  1. Created a user called “openvas”
  2. Added the “openvas” user to sudoers

Here’s the command that I’m trying to run:

runuser -u openvas -- gvm-script --gmp-username admin --gmp-password $(cat /home/openvas/.openvas_creds.txt) socket /home/openvas/gvm-myscript.py

However, this presents me with a Permission Denied error. But if I run it with sudo, then I get the same error about running as root.

What exactly do I need to do here? I can’t run it as sudo, but I don’t have permissions to run it as a regular user. I added the openvas user to the _gvm group because that group owns the socket file. That seems to have done the trick for now, but not quite sure if this is a recommended approach.

Running a tool (other then system tools like cp, mkdir, etc.) as root is never a good idea. You should very suspicious if some guide advises you to do that.

You should also not the scripts of gvm-tools as root via sudo. There is NO requirement for that. The only thing in our stack that needs root permissions is the openvas scanner.

In your case it is very likely that the permission error is caused by not being able to open the unix socket for the communication with gvmd. Because I am not aware of your installation method I can’t give you a concrete answer where you can find the socket in the filesystem. It should be somewhere in /var/run. You need to check the permissions of this socket. You current user needs rw permissions for it. To adjust the permissions you need to start gvmd with different flags (hint --listen-owner, --listen-group, --listen-mode). When using gvm-cli you need to ensure that the path to the socket is correct (--socketpath argument. can also be adjusted via a config file).

2 Likes

Thanks @bricks. Adding the user to the _gvm group seems to have done the trick, as that group has permissions to the socket file.