Under which user should each of the sync jobs run?

robinopletal · February 16, 2021, 9:17am

I am trying to write systemd services for the sync jobs, but I am not sure which user should execute which of the commands.

In cron, I had:
0 14 * * * sudo -u gvm /opt/gvm/bin/greenbone-nvt-sync
0 15 * * * greenbone-feed-sync --type GVMD_DATA
0 16 * * * greenbone-feed-sync --type SCAP
0 17 * * * greenbone-feed-sync --type CERT

When I however try to run, for example GVMD_DATA without User=gvm, in the systemd service, I get:

Service:

[Unit]
Description=Greenbone GVMD_DATA Sync
Wants=greenbone-gvmd_data-sync.timer

[Service]
Type=simple
ExecStart=/opt/gvm/bin/greenbone-feed-sync --type GVMD_DATA

[Install]
WantedBy=multi-user.target

Error:

Feb 16 10:13:23 idc.ovas2.prod.hous.prg.mynet.cz systemd[1]: Started Greenbone GVMD_DATA Sync.
Feb 16 10:13:23 idc.ovas2.prod.hous.prg.mynet.cz greenbone-feed-sync[3105234]: su: user @GVM_DEFAULT_DROP_USER@ does not exist
Feb 16 10:13:23 idc.ovas2.prod.hous.prg.mynet.cz systemd[1]: greenbone-gvmd_data-sync.service: Main process exited, code=exited, status=1/FAILURE
Feb 16 10:13:23 idc.ovas2.prod.hous.prg.mynet.cz systemd[1]: greenbone-gvmd_data-sync.service: Failed with result 'exit-code'.

If I edit the systemd service like so, I get a different error, but the service no longer is marked as failed:

Service:

[Unit]
Description=Greenbone GVMD_DATA Sync
Wants=greenbone-gvmd_data-sync.timer

[Service]
Type=simple
ExecStart=/opt/gvm/bin/greenbone-feed-sync --type GVMD_DATA
User=gvm
Group=gvm

[Install]
WantedBy=multi-user.target

Error:

Feb 16 10:14:44 idc.ovas2.prod.hous.prg.mynet.cz greenbone-feed-sync[3105292]: If you have any questions, please use the Greenbone community portal.
Feb 16 10:14:44 idc.ovas2.prod.hous.prg.mynet.cz greenbone-feed-sync[3105292]: See https://community.greenbone.net for details.
Feb 16 10:14:44 idc.ovas2.prod.hous.prg.mynet.cz greenbone-feed-sync[3105292]: By using this service you agree to our terms and conditions.
Feb 16 10:14:44 idc.ovas2.prod.hous.prg.mynet.cz greenbone-feed-sync[3105292]: Only one sync per time, otherwise the source ip will be temporarily blocked.
Feb 16 10:14:45 idc.ovas2.prod.hous.prg.mynet.cz greenbone-feed-sync[3105292]: receiving incremental file list
Feb 16 10:14:45 idc.ovas2.prod.hous.prg.mynet.cz greenbone-feed-sync[3105292]: timestamp
Feb 16 10:14:45 idc.ovas2.prod.hous.prg.mynet.cz greenbone-feed-sync[3105292]: [110B blob data]
Feb 16 10:14:45 idc.ovas2.prod.hous.prg.mynet.cz greenbone-feed-sync[3105292]: sent 43 bytes  received 114 bytes  104.67 bytes/sec
Feb 16 10:14:45 idc.ovas2.prod.hous.prg.mynet.cz greenbone-feed-sync[3105292]: total size is 13  speedup is 0.08
Feb 16 10:14:45 idc.ovas2.prod.hous.prg.mynet.cz greenbone-feed-sync[3105292]: /opt/gvm/bin/greenbone-feed-sync: line 610: @GVM_FEED_LOCK_PATH@: Permission denied

What is the correct method for each of the feed syncs and the NVT sync?

Lukas · February 16, 2021, 9:52am

It looks like a environment expansion issue, you need to check that your macros are correct by building your systems, otherwise the script try to access to “@GVM_FEED_LOCK_PATH@” what is not a correct filesystems path and you will get a Permission denied. Check your macro expansion and variables.

Why do you plan to start the feed-sync via systemd ? It makes no sense to sync via your init system.

robinopletal · February 16, 2021, 9:56am

Systemd provides a concept of timers, which can be used similarly to how cron is used.

Could you specify what that means? When running as root from the CLI, the error isn’t there and the path is created without any issues. The path in which it is created is owned correctly by gvm/gvm

What is the correct user to run the feed syncs under? Is it gvm for all of them?

Thank you for your advice

Lukas · February 16, 2021, 9:59am

If you use a uncoordinated integration or self compile it, it depends on your setup.

You need to create the user and permission according to your permission model. But this looks like a marco/shell/enviroment issue you need to debug. Rule of thumb do not use root for the feed-sync and other non privileged tasks.

robinopletal · February 16, 2021, 10:03am

Alright, thank you for the answer. I will attempt to check this, however everything seems to be functional right now even with that permission denied error

bricks · February 17, 2021, 6:59am

This are variables which are replaced during building our software via cmake. I suspect you just copied the .in scripts from the source directories or something went wrong during your build.

robinopletal · February 17, 2021, 7:06am

That’s what I did - I didn’t modify the source files when building the software.