On Dienstag, 15. Dezember 2009, Chandrashekhar B wrote:
> > we discovered that in version_func.inc the use of
> > islocalhost() should be eliminated for the following reason:
> > 1. system commands are executed on scanner host although no
> > credentials are provided.
> > 2. system commands are executed with the same privileges
> > as the scanner (typically root).
> >
>
> I agree with you, we should remove the usage of islocalhost() only in
> version_func.inc and some of the plugins that are using version_func.inc
OK.
> > I've grepped for islocalhost and found 50 occurances.
> > I did not look into them any deeper but I could imagine that
> > there are some misuses as well.
> >
> > Anyone knows a reason why not to remove the islocalhost
> > sections from version_func.inc? (It is there since a long time)
>
> islocalhost() is added for performance reasons, if it is a localhost, we
> need not setup an ssh session.
I think the performance gain does not justify to start process with
the same user id as openvasd.
With ssh sessions we also control the privileges under which the
tools are executed.
We will remove the islocalhost() conditionals from version_func.inc
now.
Best
Jan
--
Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/
Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B
202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
_______________________________________________
Openvas-plugins mailing list
[email protected]
http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins
