How to set Postgres password

I’m currently running OpenVAS using the docker images, but I want to use an external postgres database.

I can see that gvmd has parameters for DB host, user, and port, but I can’t see one for password. It seems as though the default has no password on the gvmd role. Is it possible to set a password? I don’t want a database with no password on it :open_mouth:

Also, is there a list of what permissions the DB user actually requires, rather than just granting dba.


For the source code or Kali Linux installation, PostgreSQL’s peer authentication protects passwordless login. I’m not sure about Docker containers and obviously, peer auth won’t work for a remote connection.

By default, GVMD relies on PostgreSQL’s peer authentication method. The command line arguments for database settings such as host, user, and port are not required when starting gvmd. If these args are not provided, only the dbname is actually submitted to PG when connecting.

This forces PostgreSQL to use peer authentication - which uses the connecting processes’ Linux username as the database login username. Using peer auth also protects the gvm PostgreSQL database from being accessed by anything except the gvmd process itself, since the gvm Linux user is created as a no-login user (at least for the source code installation it is).

sudo useradd -r -M -U -G sudo -s /usr/sbin/nologin gvm

So, only those with root/sudo can become the gvm Linux user.

To actually allow passwordless authentication in PG, you would have to set the PostgreSQL Host-Based Authentication configuration file (pg_hba.conf) to explicitly allow it using the trust method. Otherwise, passwordless authentication for PostgreSQL is not possible under any circumstances.

If you want to add a password-based auth to GVM anyway you would need to modify the source code. For example, in the GVMD package the database connection is created in the sql_pg.c file and it seems that the only place where database connection settings are collected is in the main gvmd.c file when command line arguments are parsed.

Of course, then you would need to change the PostgreSQL auth setting in pg_hba.conf to something like md5, or scram-sha-256

Thanks, that’s what I suspected :frowning_face: We wanted to use AWS RDS for the database, which doesn’t (AFAIK) support passwordless authentication.