Hello,
Currently, all NVTs launched by openvas-scanner are running with the
privileges of their parent process, which is in most cases root. The vast
majority of NVTs does not actually need root privileges.
Since a lot folks have the perfectly understandable desire to have as few
things running as root as possible, I've created a draft of a patch which
adds a new preference called "drop_privileges" to the openvas-scanner.
As you might have guessed from the name, if this preference is set to "yes",
openvas-scanner will attempt to drop its root privilege before launching an
NVT; the default value of this preference is "no", meaning no change in
behavior.
Of course there is a tradeoff: The increased protection against broken or
malicious NVTs comes at the price of decreased coverage, since NVTs
attempting low level operations (e.g. pcap) will return less results. But I
think this is a choice the users will appreciate and be able to make.
Right now, this is a scan-wide preference: privileges will be dropped either
for all NVTs or for no NVTs. But as you can see from the code, it will be
pretty easy to extend this approach to a per-NVT setting if this desired.
Let me know what you think, I'm looking forward to your comments on this
issue. If anything is unclear, feel free to let me know.
Regards,
Michael
--
Michael Wiegand | Greenbone Networks GmbH | http://www.greenbone.net/
Neuer Graben 17, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Executive Directors: Lukas Grunwald, Dr. Jan-Oliver Wagner
Index: base/CMakeLists.txt
===================================================================
--- base/CMakeLists.txt (Revision 8075)
+++ base/CMakeLists.txt (Arbeitskopie)
@@ -144,13 +144,13 @@
set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Werror -fPIC")
endif (NOT MINGW)
-set (FILES array.c certificate.c credentials.c hash_table_util.c nvti.c
- nvticache.c openvas_certificate_file.c openvas_file.c openvas_string.c
- pidfile.c severity_filter.c settings.c)
+set (FILES array.c certificate.c credentials.c drop_privileges.c
+ hash_table_util.c nvti.c nvticache.c openvas_certificate_file.c
+ openvas_file.c openvas_string.c pidfile.c severity_filter.c settings.c)
-set (HEADERS array.h certificate.h credentials.h hash_table_util.h nvti.h
- settings.h openvas_certificate_file.h openvas_file.h openvas_string.h
- pidfile.h severity_filter.h)
+set (HEADERS array.h certificate.h credentials.h drop_privileges.h
+ hash_table_util.h nvti.h settings.h openvas_certificate_file.h openvas_file.h
+ openvas_string.h pidfile.h severity_filter.h)
add_library (openvas_base_static STATIC ${FILES})
set_target_properties (openvas_base_static PROPERTIES COMPILE_FLAGS "${GLIB_CFLAGS}")
Index: openvassd/nasl_plugins.c
===================================================================
--- openvassd/nasl_plugins.c (Revision 8075)
+++ openvassd/nasl_plugins.c (Arbeitskopie)
@@ -33,6 +33,7 @@
#include <glib.h>
+#include <openvas/base/drop_privileges.h> /* for drop_privileges */
#include <openvas/nasl/nasl.h>
#include <openvas/network.h> /* for internal_send */
#include <openvas/nvt_categories.h> /* for ACT_SCANNER */
@@ -225,6 +226,7 @@
int soc = GPOINTER_TO_SIZE (arg_get_value (args, "SOCKET"));
int i;
int nasl_mode;
+ GError *error = NULL;
if (preferences_benice (NULL))
nice (-5);
@@ -281,6 +283,18 @@
if (preferences_nasl_no_signature_check (preferences) > 0)
nasl_mode |= NASL_ALWAYS_SIGNED;
+ if (preferences_drop_privileges (preferences, NULL))
+ {
+ int drop_priv_res = OPENVAS_DROP_PRIVILEGES_OK;
+ drop_priv_res = drop_privileges (NULL, &error);
+ if (drop_priv_res != OPENVAS_DROP_PRIVILEGES_OK)
+ {
+ if (drop_priv_res != OPENVAS_DROP_PRIVILEGES_FAIL_NOT_ROOT)
+ log_write ("Failed to drop privileges for %s\n", name);
+ g_error_free (error);
+ }
+ }
+
exec_nasl_script (args, name, nasl_mode);
internal_send (soc, NULL,
INTERNAL_COMM_MSG_TYPE_CTRL | INTERNAL_COMM_CTRL_FINISHED);
Index: openvassd/preferences.c
===================================================================
--- openvassd/preferences.c (Revision 8075)
+++ openvassd/preferences.c (Arbeitskopie)
@@ -188,6 +188,11 @@
fprintf (fd,
"# Should consider all the NASL scripts as being signed ? (unsafe if set to 'yes')\n");
fprintf (fd, "nasl_no_signature_check = yes\n\n");
+ fprintf (fd,
+ "# If this option is set to yes, openvassd will attempt to drop its privileges\n");
+ fprintf (fd,
+ "# before launching NVTs.\n");
+ fprintf (fd, "drop_privileges = no\n\n");
fprintf (fd, "#end.\n");
fclose (fd);
@@ -566,7 +571,39 @@
}
+/**
+ * @brief Returns the privilege setting defined by the client or the scanner
+ * preference if none was set.
+ *
+ * @param preferences Preferences arglist.
+ * @param oid OID of NVT to ask privilege setting of. (unused)
+ *
+ * @return 1 if privileges should be dropped for this NVT, 0 if not.
+ */
int
+preferences_drop_privileges (struct arglist *preferences, char *oid)
+{
+ char *pref;
+ int ret = 0;
+
+ if (preferences == NULL)
+ return ret;
+
+ if (arg_get_type (preferences, "drop_privileges") == ARG_STRING)
+ {
+ if (strcmp (arg_get_value (preferences, "drop_privileges"), "yes") == 0)
+ ret = 1;
+ }
+
+ pref = arg_get_value (preferences, "drop_privileges");
+ printf ("pref = %s\n", pref);
+
+ printf ("returning %d\n", ret);
+ return ret;
+}
+
+
+int
preferences_save_session (preferences)
struct arglist *preferences;
{
Index: openvassd/preferences.h
===================================================================
--- openvassd/preferences.h (Revision 8075)
+++ openvassd/preferences.h (Arbeitskopie)
@@ -55,5 +55,6 @@
void preferences_reset_cache ();
int preferences_silent_dependencies (struct arglist *);
int preferences_nasl_no_signature_check (struct arglist *);
+int preferences_drop_privileges (struct arglist *, char *);
#endif
Index: openvassd/oval_plugins.c
===================================================================
--- openvassd/oval_plugins.c (Revision 8075)
+++ openvassd/oval_plugins.c (Arbeitskopie)
@@ -135,10 +135,13 @@
* implementation is somewhat linux-specific and may not work on other
* platforms.
*
+ * TODO: Functionality for dropping privileges has now been added to
+ * openvas-libraries, consider using drop_privileges instead.
+ *
* @param user_data Pointer to additional data passed by glib; currently unused.
*/
void
-drop_privileges (gpointer user_data)
+oval_drop_privileges (gpointer user_data)
{
struct passwd *nobody_pw = NULL;
@@ -997,7 +1000,7 @@
// log_write ("Launching ovaldi with: %s\n", g_strjoinv (" ", argv));
if (g_spawn_sync
- (NULL, argv, NULL, G_SPAWN_SEARCH_PATH, drop_privileges, NULL, NULL, NULL,
+ (NULL, argv, NULL, G_SPAWN_SEARCH_PATH, oval_drop_privileges, NULL, NULL, NULL,
NULL, NULL))
{
GMarkupParser parser;
_______________________________________________
Openvas-plugins mailing list
[email protected]
http://lists.wald.intevation.org/mailman/listinfo/openvas-plugins
