I’m pretty new to OpenVAS but I’ve finally been able to take advantage of the sample scripts to get a really nice wrapper built in. However, I’m running into one final issue.
When trying to use gvm-script, I get the error about running it as root. While I can definitely appreciate the concern about security (I’m a pentester), I’m wondering what are some alternative approaches. I know I can just simply modify the script to avoid making the do_not_run_as_root() call, but I want to implement a solution for my wrapper that’s going to be pretty sustainable.
When creating another user account, I just simply face a bunch of permission errors, but I’m not quite sure where it’s coming from. Here’s what I’ve done.
- Created a user called “openvas”
- Added the “openvas” user to sudoers
Here’s the command that I’m trying to run:
runuser -u openvas -- gvm-script --gmp-username admin --gmp-password $(cat /home/openvas/.openvas_creds.txt) socket /home/openvas/gvm-myscript.py
However, this presents me with a Permission Denied error. But if I run it with sudo, then I get the same error about running as root.
What exactly do I need to do here? I can’t run it as sudo, but I don’t have permissions to run it as a regular user. I added the openvas user to the _gvm group because that group owns the socket file. That seems to have done the trick for now, but not quite sure if this is a recommended approach.