More thoughts welcome... Chandra.
-----Original Message----- From: openvas-devel-boun...@wald.intevation.org [mailto:openvas-devel-boun...@wald.intevation.org] On Behalf Of Jan-Oliver Wagner Sent: Wednesday, December 17, 2008 3:43 PM To: openvas-devel@wald.intevation.org Subject: Re: [Openvas-devel] Change Request #25: Integration of SAMBA/WMItoOpenVAS-nasl Hi Chandra, On Mittwoch, 17. Dezember 2008, Chandrashekhar B wrote: > > I have a spontaneous question: Are high privileges > > required to run the smb stuff or are lower privileges sufficient. > > Note: What I am having in mind is a privilege downgrade for > > openvasd in case of samba based tests to lower security problems. > > I think it can work as non-root, need to think through how openvasd can > downgrade privileges. Michael implemented such a feature for OVAL because we did not want to execute ovaldi stuff with high privileges. So, IMHO it is doable. > Most of the Windows checks will be Samba based tests. > So whenever Windows based test is selected, openvasd has to identify that > and run as non-root. I think it is going to be very complicated. We have to think about it, but I am confident there is a nice solution. > Do you mean security problem because of an external library? Samba is an > active project. We can look at the alternative approach I have proposed with > WMI. Though it depends again on Samba, the code base it depends on is less. > We can maintain that within Openvas space. I have not finally settled with my minds about the options. Let's have some more opinions from the other experts here on this list ;-) Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335 08 30 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-devel mailing list Openvas-devel@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-devel _______________________________________________ Openvas-devel mailing list Openvas-devel@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-devel
