Running openvas as a non privileged user?

tatooin · April 4, 2019, 5:20pm

Hi,

Is it possible to run openvas as a non-root user ? and is it even something we want to do ?

Nmap, although not really a scanner, suffers limitations if run as a non root user. Would that be the same with Openvas ?

I’m curious because all installations I’ve seen so far are run as root; which is the installation by default, while theorically there is no reason to do so. And I havn’t find any informations on this on the net.

Thanks

bricks · April 5, 2019, 7:06am

I guess you mean openvas-scanner by openvas? Of course the other daemons (gvmd/openvasmd and gsad) should NOT run as root.

cfi · April 5, 2019, 7:34am

Just to add that even openvas-scanner (openvassd) could run as non-root as well but you will get less functionality concerning:

UDP and TCP SYN port scanning via nmap (probably some more)
VTs relying on packet forgery functions (forge_ipv6_packet, forge_icmp_v6_packet, send_v6packet, forge_ip_packet, forge_icmp_packet, send_packet NASL functions and similar) won’t work
Probably some more restrictions

tatooin · April 5, 2019, 9:37am

No; by openvas I mean the whole package of latest stable release (7.0.3). I know the branding is changing, but to my knowledge the 7.0.3 source still use openvasmd & openvassd naming convention. And by extension, I mean also gsad.

Having said that; it would be nice to have this documented somewhere. I looked in the documentation but couldn’t fin anything on this secure configuration.

Thanks !