[Bug] rsync: [receiver] mkstemp "XXXXXX" failed: Permission denied (13)

[v1c5anchez]

Describe the bug

Dear all,

Initially I detected the following situation:

When parsing the gvmd.log file in order to list the feed updates (and the corresponding number of NVTs) I found what follows:

root@XXXXXXX:/# grep "... done" /usr/local/var/log/gvm/gvmd.log
md manage:   INFO:2021-07-02 11h43.03 utc:1440: Updating VTs in database ... done (74526 VTs).
md manage:   INFO:2021-07-07 07h58.04 utc:990: Updating VTs in database ... done (74526 VTs).
md manage:   INFO:2021-07-08 16h22.09 utc:23153: Updating VTs in database ... done (74529 VTs).
(...)
md manage:   INFO:2021-09-14 10h18.58 utc:2057524: Updating VTs in database ... done (74546 VTs).
md manage:   INFO:2021-09-14 11h08.02 utc:1099: Updating VTs in database ... done (74549 VTs).
md manage:   INFO:2021-09-15 14h14.56 utc:2146837: Updating VTs in database ... done (74549 VTs).

The number of NVTs has not grown significantly since 2021-07-02.

However, when creating a new container from the very same image (and subsequently, downloading the feed for the first time in the new container) I have detected that the number of NVTs is way larger (around 76000 NVTs).

As a consequence of this I have attempted to force update the NVTs by hand as shown by @pixelsquared in https://github.com/Secure-Compliance-Solutions-LLC/GVM-Docker/discussions/147#discussioncomment-548518, using the command:

docker exec -it gvm /sync-all.sh

What I see in the logs is the following:

(...)
rsync: [receiver] mkstemp "/usr/local/var/lib/openvas/plugins/pre2008/.xst_http_trace.nasl.W7o4q3" failed: Permission denied (13)
rsync: [receiver] mkstemp "/usr/local/var/lib/openvas/plugins/pre2008/.yabb_xss.nasl.UDp9k5" failed: Permission denied (13)
rsync: [receiver] mkstemp "/usr/local/var/lib/openvas/plugins/pre2008/.yacy_xss.nasl.28Tog2" failed: Permission denied (13)
rsync: [receiver] mkstemp "/usr/local/var/lib/openvas/plugins/pre2008/.yahoo_dos.nasl.qo83b5" failed: Permission denied (13)
rsync: [receiver] mkstemp "/usr/local/var/lib/openvas/plugins/pre2008/.yapig_multiple_flaws.nasl.KWZL21" failed: Permission denied (13)
rsync: [receiver] mkstemp "/usr/local/var/lib/openvas/plugins/pre2008/.yapig_pass_dir_access.nasl.uRb9O1" failed: Permission denied (13)
rsync: [receiver] mkstemp "/usr/local/var/lib/openvas/plugins/pre2008/.yapig_remote_vuln.nasl.SsV3F1" failed: Permission denied (13)
rsync: [receiver] mkstemp "/usr/local/var/lib/openvas/plugins/pre2008/.yawcam_dir_traversal.nasl.TSAta4" failed: Permission denied (13)
rsync: [receiver] mkstemp "/usr/local/var/lib/openvas/plugins/pre2008/.yusasp_asset_manager_detection.nasl.VwjBK1" failed: Permission denied (13)
rsync: [receiver] mkstemp "/usr/local/var/lib/openvas/plugins/pre2008/.zebra_dos.nasl.tg10Z5" failed: Permission denied (13)
rsync: [receiver] mkstemp "/usr/local/var/lib/openvas/plugins/pre2008/.zeroboard_flaws.nasl.iYsLy5" failed: Permission denied (13)
rsync: [receiver] mkstemp "/usr/local/var/lib/openvas/plugins/pre2008/.zeroboard_flaws2.nasl.FYVvB1" failed: Permission denied (13)
rsync: [receiver] mkstemp "/usr/local/var/lib/openvas/plugins/pre2008/.zeroboard_xss.nasl.3Wo3q3" failed: Permission denied (13)
rsync: [receiver] mkstemp "/usr/local/var/lib/openvas/plugins/pre2008/.zml_cgi_traversal.nasl.7kROE3" failed: Permission denied (13)
rsync: [receiver] mkstemp "/usr/local/var/lib/openvas/plugins/pre2008/.zone_alarm_fw_p67.nasl.5JZbc5" failed: Permission denied (13)
rsync: [receiver] mkstemp "/usr/local/var/lib/openvas/plugins/pre2008/.zope_path_disclosure.nasl.68fRQ2" failed: Permission denied (13)
rsync: [receiver] mkstemp "/usr/local/var/lib/openvas/plugins/pre2008/.zope_zclass.nasl.8urJK1" failed: Permission denied (13)
rsync: [receiver] mkstemp "/usr/local/var/lib/openvas/plugins/pre2008/.zyxel_http_pwd.nasl.xZ5QB4" failed: Permission denied (13)
rsync: [receiver] mkstemp "/usr/local/var/lib/openvas/plugins/pre2008/.zyxel_pwd.nasl.4IJbG1" failed: Permission denied (13)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1816) [generator=3.2.3]
Updating GVMd data...
Greenbone community feed server - http://feed.community.greenbone.net/
This service is hosted by Greenbone Networks - http://www.greenbone.net/

All transactions are logged.

If you have any questions, please use the Greenbone community portal.
See https://community.greenbone.net for details.

By using this service you agree to our terms and conditions.

Only one sync per time, otherwise the source ip will be temporarily blocked.

receiving incremental file list
timestamp
             13 100%   12.70kB/s    0:00:00 (xfr#1, to-chk=0/1)

sent 43 bytes  received 115 bytes  316.00 bytes/sec
total size is 13  speedup is 0.08
Updating SCAP data...
/usr/local/sbin/greenbone-feed-sync: 259: cannot create /usr/local/var/lib/gvm/scap-data/feed.xml: Permission denied
/usr/local/sbin/greenbone-feed-sync: 260: cannot create /usr/local/var/lib/gvm/scap-data/feed.xml: Permission denied
/usr/local/sbin/greenbone-feed-sync: 261: cannot create /usr/local/var/lib/gvm/scap-data/feed.xml: Permission denied
/usr/local/sbin/greenbone-feed-sync: 262: cannot create /usr/local/var/lib/gvm/scap-data/feed.xml: Permission denied
/usr/local/sbin/greenbone-feed-sync: 263: cannot create /usr/local/var/lib/gvm/scap-data/feed.xml: Permission denied
/usr/local/sbin/greenbone-feed-sync: 264: cannot create /usr/local/var/lib/gvm/scap-data/feed.xml: Permission denied
/usr/local/sbin/greenbone-feed-sync: 265: cannot create /usr/local/var/lib/gvm/scap-data/feed.xml: Permission denied
/usr/local/sbin/greenbone-feed-sync: 266: cannot create /usr/local/var/lib/gvm/scap-data/feed.xml: Permission denied
/usr/local/sbin/greenbone-feed-sync: 267: cannot create /usr/local/var/lib/gvm/scap-data/feed.xml: Permission denied
/usr/local/sbin/greenbone-feed-sync: 268: cannot create /usr/local/var/lib/gvm/scap-data/feed.xml: Permission denied
/usr/local/sbin/greenbone-feed-sync: 269: cannot create /usr/local/var/lib/gvm/scap-data/feed.xml: Permission denied
/usr/local/sbin/greenbone-feed-sync: 270: cannot create /usr/local/var/lib/gvm/scap-data/feed.xml: Permission denied
Greenbone community feed server - http://feed.community.greenbone.net/
This service is hosted by Greenbone Networks - http://www.greenbone.net/

All transactions are logged.

If you have any questions, please use the Greenbone community portal.
See https://community.greenbone.net for details.

By using this service you agree to our terms and conditions.

Only one sync per time, otherwise the source ip will be temporarily blocked.

receiving incremental file list
timestamp
             13 100%   12.70kB/s    0:00:00 (xfr#1, to-chk=0/1)

sent 43 bytes  received 115 bytes  316.00 bytes/sec
total size is 13  speedup is 0.08
Updating CERT data...
/usr/local/sbin/greenbone-feed-sync: 259: cannot create /usr/local/var/lib/gvm/cert-data/feed.xml: Permission denied
/usr/local/sbin/greenbone-feed-sync: 260: cannot create /usr/local/var/lib/gvm/cert-data/feed.xml: Permission denied
/usr/local/sbin/greenbone-feed-sync: 261: cannot create /usr/local/var/lib/gvm/cert-data/feed.xml: Permission denied
/usr/local/sbin/greenbone-feed-sync: 262: cannot create /usr/local/var/lib/gvm/cert-data/feed.xml: Permission denied
/usr/local/sbin/greenbone-feed-sync: 263: cannot create /usr/local/var/lib/gvm/cert-data/feed.xml: Permission denied
/usr/local/sbin/greenbone-feed-sync: 264: cannot create /usr/local/var/lib/gvm/cert-data/feed.xml: Permission denied
/usr/local/sbin/greenbone-feed-sync: 265: cannot create /usr/local/var/lib/gvm/cert-data/feed.xml: Permission denied
/usr/local/sbin/greenbone-feed-sync: 266: cannot create /usr/local/var/lib/gvm/cert-data/feed.xml: Permission denied
/usr/local/sbin/greenbone-feed-sync: 267: cannot create /usr/local/var/lib/gvm/cert-data/feed.xml: Permission denied
/usr/local/sbin/greenbone-feed-sync: 268: cannot create /usr/local/var/lib/gvm/cert-data/feed.xml: Permission denied
/usr/local/sbin/greenbone-feed-sync: 269: cannot create /usr/local/var/lib/gvm/cert-data/feed.xml: Permission denied
/usr/local/sbin/greenbone-feed-sync: 270: cannot create /usr/local/var/lib/gvm/cert-data/feed.xml: Permission denied
Greenbone community feed server - http://feed.community.greenbone.net/
This service is hosted by Greenbone Networks - http://www.greenbone.net/

All transactions are logged.

If you have any questions, please use the Greenbone community portal.
See https://community.greenbone.net for details.

By using this service you agree to our terms and conditions.

Only one sync per time, otherwise the source ip will be temporarily blocked.

receiving incremental file list
timestamp
             13 100%   12.70kB/s    0:00:00 (xfr#1, to-chk=0/1)

sent 43 bytes  received 115 bytes  105.33 bytes/sec
total size is 13  speedup is 0.08

All files seem to be in place:

# ls -l /usr/local/var/lib/gvm/scap-data/feed.xml
-rw-r--r-- 1 1001 121 583 Jul  1 00:46 /usr/local/var/lib/gvm/scap-data/feed.xml
# ls -l /usr/local/var/lib/gvm/scap-data/oval/5.10/org.mitre.oval/
total 20
drwxr-xr-x 2 1001 121 4096 Jul  1 00:45 c
drwxr-xr-x 2 1001 121 4096 Jul  1 00:45 i
drwxr-xr-x 2 1001 121 4096 Jul  1 00:45 m
drwxr-xr-x 2 1001 121 4096 Jul  1 00:46 p
drwxr-xr-x 3 1001 121 4096 Jul  1 00:43 v
# ls -l /usr/local/var/lib/gvm/scap-data/oval/5.10/org.mitre.oval/c/
total 264
-rw-r--r-- 1 1001 121 268150 Sep 18  2014 oval.xml

Additionally, when logged in the docker container:

# whoami
root
# ls -l sync-all.sh
-rwxr-xr-x 1 root root 1318 May 31 14:09 sync-all.sh

To Reproduce

docker exec -it gvm /sync-all.sh

Expected behavior I suppose I should not get those #Permission denied (13) logs

Host Device:

Static hostname: XXXXXXXX
Icon name: computer-vm
Chassis: vm
Virtualization: oracle
Operating System: Arch Linux
Kernel: Linux 5.12.12-arch1-1
Architecture: x86-64
Hardware Vendor: innotek GmbH
Hardware Model: VirtualBox

Image in use:

• Self build?: NO
• Output from docker image inspect <image> :

  
  [
  {
      "Id": "sha256:aa7760af93467ac6e90b5ed2bfabd97536578fe30debf8f68054a2d3ccbbf803",
      "RepoTags": [
          "securecompliance/gvm:latest"
      ],
      "RepoDigests": [
          "securecompliance/gvm@sha256:182c924a25545c24986089a5d48f15aa81dcd96767396a94af7df58e9187fddd"
      ],
      "Parent": "",
      "Comment": "",
      "Created": "2021-05-31T14:11:48.047559267Z",
      "Container": "ff27246ad394c770bd981695c18990da3b9ac8ecfc15e85121590a34012b98ce",
      "ContainerConfig": {
          "Hostname": "ff27246ad394",
          "Domainname": "",
          "User": "",
          "AttachStdin": false,
          "AttachStdout": false,
          "AttachStderr": false,
          "Tty": false,
          "OpenStdin": false,
          "StdinOnce": false,
          "Env": [
              "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
              "DEBIAN_FRONTEND=noninteractive",
              "LANG=C.UTF-8",
              "gvm_libs_version=v21.4.0",
              "openvas_scanner_version=v21.4.0",
              "gvmd_version=v21.4.0",
              "gsa_version=v21.4.0",
              "gvm_tools_version=21.1.0",
              "openvas_smb=v21.4.0",
              "open_scanner_protocol_daemon=v21.4.0",
              "ospd_openvas=v21.4.0",
              "python_gvm_version=21.1.3"
          ],
          "Cmd": [
              "/bin/sh",
              "-c",
              "#(nop) ",
              "CMD [\"/bin/sh\" \"-c\" \"'/start.sh'\"]"
          ],
          "Image": "sha256:0ca3978bd82fc0573d1ce9d04dc5595dc5053e72325472052863288e5eb6416b",
          "Volumes": null,
          "WorkingDir": "",
          "Entrypoint": null,
          "OnBuild": null,
          "Labels": {}
      },
      "DockerVersion": "19.03.8",
      "Author": "",
      "Config": {
          "Hostname": "",
          "Domainname": "",
          "User": "",
          "AttachStdin": false,
          "AttachStdout": false,
          "AttachStderr": false,
          "Tty": false,
          "OpenStdin": false,
          "StdinOnce": false,
          "Env": [
              "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
              "DEBIAN_FRONTEND=noninteractive",
              "LANG=C.UTF-8",
              "gvm_libs_version=v21.4.0",
              "openvas_scanner_version=v21.4.0",
              "gvmd_version=v21.4.0",
              "gsa_version=v21.4.0",
              "gvm_tools_version=21.1.0",
              "openvas_smb=v21.4.0",
              "open_scanner_protocol_daemon=v21.4.0",
              "ospd_openvas=v21.4.0",
              "python_gvm_version=21.1.3"
          ],
          "Cmd": [
              "/bin/sh",
              "-c",
              "'/start.sh'"
          ],
          "Image": "sha256:0ca3978bd82fc0573d1ce9d04dc5595dc5053e72325472052863288e5eb6416b",
          "Volumes": null,
          "WorkingDir": "",
          "Entrypoint": null,
          "OnBuild": null,
          "Labels": null
      },
      "Architecture": "amd64",
      "Os": "linux",
      "Size": 2728617232,
      "VirtualSize": 2728617232,
      "GraphDriver": {
          "Data": {
              "LowerDir": "/var/lib/docker/overlay2/26cc0799d5a751256d5976064deadb8e624b44ae16526084d1d9e66dd2528577/diff:/var/lib/docker/overlay2/3090a243277b79f2aecbe42c19199d37e139e8982d922d0f8423072f917c6524/diff:/var/lib/docker/overlay2/d23786d316ab6ee4d668faebba0d11981590740fded2e5f6a535565b73af6783/diff:/var/lib/docker/overlay2/d89da1fef109f32c666996b94ee5426f8877f6a629b0776ecb5f34bcc81ec06e/diff:/var/lib/docker/overlay2/025d4aea10c645c8ebd4c2623decfe9ac56a0ec9ddaaa2709b89ec53f0df4196/diff:/var/lib/docker/overlay2/e0274ac2758f52ecdf4973551caca63d48ba11b98902ab5b0bd5ed52e914390c/diff:/var/lib/docker/overlay2/6f84bf9a72634ea2be476005f34e72e48a3bed66665e18e18a3722bcd603597d/diff:/var/lib/docker/overlay2/cbe5a95881bdb60ae6eae6b4d3363cc50b5c6b36b20c741d0218dd3bc8ddb5a4/diff:/var/lib/docker/overlay2/e5dc489deeb4f8f8da17546737bf7500215f8d5b5fe0e69d03e0f7cae501f285/diff:/var/lib/docker/overlay2/1b3a238df623cdd13ed4e1969cdd332608335778819299c724176dc48039f934/diff:/var/lib/docker/overlay2/f00bb21a1c791dca61b33880cb70a042898bf43ebf6d2ddacf60da7fd055860a/diff:/var/lib/docker/overlay2/8f13be3413c4352dbf3903f3278571a46f86db4a9e5610e8240b488e1f18d930/diff:/var/lib/docker/overlay2/896752f28a348d8380bae72c853bb5797893f4356baf11e91b2f6534b715b75d/diff:/var/lib/docker/overlay2/958fc148e0fb22e7db8e780f1ab8e29065dc6743722cc89c0cb51d7390762cc1/diff:/var/lib/docker/overlay2/9cc9e57472d8a42866be0df9ad30a1dd2798291cc7edac93d1519c72e00a3640/diff:/var/lib/docker/overlay2/602f26ec695440464a9d27334824f7a349c35e6edd6818cd7deb712320408214/diff:/var/lib/docker/overlay2/90e676a0f5c1e17437870b2de1bd96a4ce23efcca05bfb387efe0bc82c864915/diff:/var/lib/docker/overlay2/f4869be5cba8c66cfa0437c7a88e7bc6620b1c3c7c2eb1c506ca69b18df6aa16/diff:/var/lib/docker/overlay2/cc32070d7895889619bba0e11e9296fe65b79926d53b570b8ff38bcd590db699/diff",
              "MergedDir": "/var/lib/docker/overlay2/3595df5a9d561c0a3175aba1099d416045d9df6ab3d9db2c487b9eb40cc3863d/merged",
              "UpperDir": "/var/lib/docker/overlay2/3595df5a9d561c0a3175aba1099d416045d9df6ab3d9db2c487b9eb40cc3863d/diff",
              "WorkDir": "/var/lib/docker/overlay2/3595df5a9d561c0a3175aba1099d416045d9df6ab3d9db2c487b9eb40cc3863d/work"
          },
          "Name": "overlay2"
      },
      "RootFS": {
          "Type": "layers",
          "Layers": [
              "sha256:f99824acacbf1ded66f88fcaa9f849f1123aa1c09473bc7db380631710527705",
              "sha256:5a6ab33e4b09dd039d16b5e6e6f704d1a8d0e6f6f095aab76de1031d10e3a45f",
              "sha256:3ddefbdbdfbe8789386c4195c5333248a552608204b2f86981e1e06dbaeb635e",
              "sha256:f66d45a996261ad6b9ad4a673b9c69d49bb15f5534c3bf24ff5536b5a435df4d",
              "sha256:2267a0b5cc77c256c33d8dc38db49747e3285d31d44eb2262be92817efcd22f2",
              "sha256:2486fbc92bde3b8c55ff29e25cdd059e03741c800c6a234bcdbed9c1c2dd53a5",
              "sha256:8fc94a9522382ecbd71e52acf66e632ff69485d36468841d03fa584707996e39",
              "sha256:a4869c95b8d5c2cdc0693613bd9f0034654819c0450e223210e9da0add92809f",
              "sha256:0fb829a57f311334588583026b1977d715378f9896568970a3af82672921ec30",
              "sha256:72275826462bb1176690dde16343ddc9f3d88a6cc9a1a9bfaf354e24c9b30769",
              "sha256:9675bc67ce66707b719157bd4e1cc35de95df8b6127137cd60ac22e399c89e25",
              "sha256:02a947081223c7e47bdf1e938ca0830ec967ac355908b53cae61a9b8c6a03523",
              "sha256:c8101f09d0b1d3329b9e8e21310788cef8dcef02bab942b70bf498486507e789",
              "sha256:1674356c97faf1a63dd2dd52975625cba0c1f6b236cd83dab04d1c5c4b4c0b14",
              "sha256:57ee4315dbed9e4650c59f176064b96d1cfd0fce050c9f827ae4a39298c2b987",
              "sha256:c04f9c641b0800dcba9e53764e25a6cef8105debdfe1a8b819065419392be7eb",
              "sha256:20e399fdfa59c68fce81694853076e66a0465fb1e12762312329427155ef1121",
              "sha256:24178005cfad24a3ed856fe532a830a9d48c326ece076c7f6b0b45056d322d55",
              "sha256:3535bcc7d92982fe4020a8fb946576ef2b5d937397b13f91b3b9d3d7e748656f",
              "sha256:0d4d0659a31eb7b97505dfc33accdb59e0b108c25f951cb4050f1c01e1059bb8"
          ]
      },
      "Metadata": {
          "LastTagTime": "0001-01-01T00:00:00Z"
      }
  }
  ]

[Dexus]

Please use a newer version or wait for the new Debian based release.

[ilyaevseev]

The same problem with newest image.