Hi,
I’m currently setting up greenbone-feed-sync to run via cron under the gvm user. I’d like to make sure I’m following best practices for installing and using this tool, especially in a secure and maintainable way.
Here’s what I’m currently doing:
I install the tool from my regular user (USER1, in group gvm) using this approach:
export INSTALL_DIR=$HOME/install
mkdir -p $INSTALL_DIR/greenbone-feed-sync
python3 -m pip install --root=$INSTALL_DIR/greenbone-feed-sync --no-warn-script-location greenbone-feed-sync
sudo cp -rv $INSTALL_DIR/greenbone-feed-sync/* /
sudo chown gvm:gvm /usr/local/bin/greenbone-feed-sync
sudo chmod 740 /usr/local/bin/greenbone-feed-sync
Then I add a cronjob for the gvm user like this:
sudo crontab -u gvm -e
inside crontab:
35 7 * * 1-5 /usr/local/bin/greenbone-feed-sync --quiet
The problem is that this installation method does not follow PEP 668, and while the official Greenbone documentation suggests installing the tool this way, the GitHub page for greenbone-feed-sync actually recommends installing it via pipx, which appears safer and more maintainable.
The complication:
My gvm user is created as a system user like so:
sudo useradd -r -M -U -G sudo -s /usr/sbin/nologin gvm
Because of the /usr/sbin/nologin shell, I can’t run sudo -iu gvm to switch into the user and run pipx install.
My questions are:
What is the officially recommended way to install greenbone-feed-sync if I intend to run it regularly from a cron job under the gvm system user?
Should I temporarily change the shell of the gvm user (e.g., to /bin/bash), install via pipx directly as gvm, and then revert to /usr/sbin/nologin?
Thanks in advance for your guidance!