Hi,
I’m setting up a Greenbone instance, and I’m connecting it to a PostgreSQL cluster. When reading the docs, I’ve seen that a “dba” role is needed and it has the “superuser” permission.
I believe superuser gives a lot of permissions over the cluster, is this permission required?
Thanks
It appears that superuser privileges are required for the current installation process due to the pg-gvm needing to be installed. For example, in default PostgreSQL behavior, CREATE EXTENSION requires superuser by default, unless the extension is marked as trusted (superuser = false) and the caller has sufficient database privileges. In pg-gvm’s control.in, there is no superuser = false. That being said, we may find out more information from another contributor with more insight into the database architecture.
I can say that the docs and community source code install guide are designed for convenience in software development purposes only. They are not a hardened enterprise deployment of OPENVAS SCAN in multi-tenant environments.
Thanks for relaying this concern, it may be useful to look deeper into this issue and relay these security implications to community users in the documentation.
We are always open for every improvement. Feel free to do some investigation and at best create a PR.
Thanks for the replies!
I’ve tested out creating an unprivileged user for Greenbone, and manually create the extension in the database. But it fails to start due to being unable to update the extension:
md manage:WARNING:2026-02-01 23h49.21 utc:150: sql_exec_internal: PQexec failed: ERROR: must be owner of extension pg-gvm
(7)
md manage:WARNING:2026-02-01 23h49.21 utc:150: sql_exec_internal: SQL: ALTER EXTENSION "pg-gvm" UPDATE;
md manage:WARNING:2026-02-01 23h49.21 utc:150: sqlv: sql_exec_internal failed
I do believe this is related to the following check where my pg-gvm is not in version 1.1 but 22.6, so gvmd tries to update it and fails.
I’m not sure if updating this check to check if version is <= 1.1 would fix the startup issue, I will try it out.