Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Have greenbone-nvt-sync not run as root #323

Merged
merged 3 commits into from
May 13, 2019
Merged

Have greenbone-nvt-sync not run as root #323

merged 3 commits into from
May 13, 2019

Conversation

janowagner
Copy link
Member

@janowagner janowagner commented May 11, 2019
edited
Loading

The script greenbone-nvt-sync does not require anymore
root privileges to run. Therefore it is now installed
in the "bin" directory rather than the "sbin" directory.

Furthermore the script will now deny to run with "root"
privileges. This is to prevent accidental change of
file permissions that can later not be fixed by
non-priviledged user anymore.

If migrating from an older version, the owner and permissions
in the feed directory need to be fixed:

# cd <prefix>/var/lib/openvas/plugins
# chown -R <myuser>:<mygroup> *

where the user that runs the sync needs to be
or belong to group .

@janowagner
Install sync script in bin instead of sbin.
e353ab3 
This make greenbone-nvt-sync to be installed in regular
bin directory because no root permissions are necessary anymore
for unning the synchronisation.
@janowagner
Deny sync script to be run as root.
bf7119e
@janowagner janowagner requested a review from a team May 11, 2019 17:04
@janowagner janowagner mentioned this pull request May 11, 2019
Merged
mattmundell
mattmundell suggested changes May 11, 2019
View reviewed changes
tools/greenbone-nvt-sync.in Outdated
@@ -20,6 +20,16 @@
# This script updates the local Network Vulnerability Tests (NVTs) from the
# Greenbone Security Feed (GSF) or the Greenbone Community Feed (GCF).

if [ "`id -u`" -eq "0" ]
then
echo "$0 must not be executed as privileged user root"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should go to stderr.

Maybe also relevant, almost all the other error exits also do a log_err (and use stderr_write instead of echo).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I changed this accordingly.

@janowagner
Write to stderr and add a log error.
b6ef68c 
Write the message about denied root execution to stderr instead
of stdout. Also add a additional errir message to the log.
@mattmundell mattmundell merged commit bff16ac into greenbone:master May 13, 2019
@falkowich falkowich mentioned this pull request Sep 17, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattmundell mattmundell mattmundell approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@janowagner @mattmundell