-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check sudo permissions before call openvas. #87
Conversation
Check if the user running ospd-openvas has permissions to call openvas with sudo and without password. Depending on it, it will run openvas with sudo or without it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For sudo_available I would propose to use the property decorator https://docs.python.org/3/library/functions.html#property
It allows to use calling a method when a property on the class instance is accessed.
ospd_openvas/wrapper.py
Outdated
except subprocess.CalledProcessError as e: | ||
logger.debug('It was not possible to call openvas with sudo. ' | ||
'The scanner will run as non-root user. Reason %s', e) | ||
return _sudo_available |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return _sudo_available | |
self._sudo_available = False |
try: | ||
result = subprocess.check_call( | ||
['sudo', '-n', 'openvas', '-s'], stdout=subprocess.PIPE | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
) | |
) | |
self._sudo_available = True |
ospd_openvas/wrapper.py
Outdated
if result == 0: | ||
_sudo_available = True | ||
|
||
return _sudo_available |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just remove these lines above.
ospd_openvas/wrapper.py
Outdated
""" Checks that sudo is available and set the global var. """ | ||
_sudo_available = False | ||
try: | ||
result = subprocess.check_call( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
check_call doesn't return the returncode. If the returncode is != 0 it raises an exception https://docs.python.org/3/library/subprocess.html#subprocess.check_output So no need to check the result.
ospd_openvas/wrapper.py
Outdated
@@ -715,6 +716,23 @@ def get_detection_vt_as_xml_str( | |||
|
|||
return tostring(_detection).decode('utf-8') | |||
|
|||
def sudo_check(self): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
def sudo_check(self): | |
@property | |
def sudo_available(self): |
ospd_openvas/wrapper.py
Outdated
@@ -715,6 +716,23 @@ def get_detection_vt_as_xml_str( | |||
|
|||
return tostring(_detection).decode('utf-8') | |||
|
|||
def sudo_check(self): | |||
""" Checks that sudo is available and set the global var. """ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
""" Checks that sudo is available and set the global var. """ | |
""" Checks that sudo is available and set the global var. """ | |
if self._sudo_available is not None: | |
return self._sudo_available |
ospd_openvas/wrapper.py
Outdated
@@ -715,6 +716,23 @@ def get_detection_vt_as_xml_str( | |||
|
|||
return tostring(_detection).decode('utf-8') | |||
|
|||
def sudo_check(self): | |||
""" Checks that sudo is available and set the global var. """ | |||
_sudo_available = False |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
_sudo_available = False |
ospd_openvas/wrapper.py
Outdated
""" Checks that sudo is available and set the global var. """ | ||
_sudo_available = False | ||
try: | ||
result = subprocess.check_call( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
result = subprocess.check_call( | |
subprocess.check_call( |
ospd_openvas/wrapper.py
Outdated
if self.sudo_available: | ||
cmd = ['sudo', 'openvas', '--scan-stop', scan_id] | ||
else: | ||
cmd = ['openvas', '--scan-stop', scan_id] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These lines can be simplified by something like:
cmd = ['openvas', '--scan-stop', scan_id]
if self.sudo_available:
cmd = ['sudo'] + cmd
cmd = ['sudo', 'openvas', '--scan-start', openvas_scan_id] | ||
else: | ||
cmd = ['openvas', '--scan-start', openvas_scan_id] | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can be simplified as above.
Maybe it would even better to extract calling openvas into an own method/function e.g.
def call_openvas(args, use_sudo=False, niceness=None):
cmd = args
if use_sudo:
cmd = ['sudo'] + cmd
if niceness is not None:
cmd = ['nice', ...] + cmd
try:
subproces. ....
...
but i am not 100 percent sure about that because we are calling different functions of subrocess at the moment with slightly different arguments.
Codecov Report
@@ Coverage Diff @@
## master #87 +/- ##
==========================================
- Coverage 72.1% 71.88% -0.23%
==========================================
Files 4 4
Lines 864 875 +11
==========================================
+ Hits 623 629 +6
- Misses 241 246 +5
Continue to review full report at Codecov.
|
Codecov Report
@@ Coverage Diff @@
## master #87 +/- ##
==========================================
- Coverage 72.1% 71.94% -0.16%
==========================================
Files 4 4
Lines 864 877 +13
==========================================
+ Hits 623 631 +8
- Misses 241 246 +5
Continue to review full report at Codecov.
|
Fix file name of ospd-scanner INSTALL guide
Check if the user running ospd-openvas has permissions to call openvas
with sudo and without password.
Depending on it, it will run openvas with sudo or without it.
How to give the user permission to call openvas with sudo and without password:
$ sudo visudo
Add at the end of the file
<user> ALL = NOPASSWD: /<install/path/sbin/openvas