search

immauss / openvas

Containers for running the Greenbone Vulnerability Manager. Run as a single container with all services or separate single applications containers via docker-compose.
GNU Affero General Public License v3.0
360 stars 102 forks source link

Set postgres password(s) #120

Closed kjake closed 2 years ago

kjake commented 2 years ago

Problem: There is no password in postgres for the user "postgres". Do you know if anything would break if I set a password manually? I might suggest that you do this as part of the container as well.

Why is it a problem: running gvm in host-mode is required for reflection testing (i.e. Log4j), this exposes the postgres port to the network and means that anyone can login to postgres as "postgres" without knowing a password.

immauss commented 2 years ago

This is a question for the community forum. I'm not really sure how that would work. https://community.greenbone.net

If you do find a solution, I would really appreciate it if you could link to it here.

Thanks, Scott

kjake commented 2 years ago

Looked into it more.

/data/database/pg_hba.conf includes lines which disable auth from the entire network. Additionally, /start.sh appends lines to the bottom of /data/database/pg_hba.conf any time the container is replaced. Should probably move /setup to a more persistent path, or leave /data/database/postgresql.conf and /data/database/pg_hba.conf alone if they already exist.

Changing /data/database/pg_hba.conf to the following lines allows local processes to connect as needed, but network connections will be challenged for a password. I did set a password for the postgres user and I haven't seen anything break.

host    all   all   0.0.0.0/0   md5
host    all   all   ::0/0       md5
local   all   all   trust

If this all sounds fine to you, I'll submit a PR for your review.

immauss commented 2 years ago

Can you confirm this works with Postgres 13 as well?

kjake commented 2 years ago

Can you confirm this works with Postgres 13 as well?

Sure thing. I do have Watchtower auto-updating my install, and I did login the other day to make sure it was still working. Somehow, all my tasks were in-scheduled, so I'm monitoring that right now. Regardless, I'll do some testing with a fresh setup to see if my above changes still work with pg13. Still willing to propose a PR as well.

immauss commented 2 years ago

@kjake Now that the latest branch is finally stable with pg13, a PR would be awesome.

-Scott

kjake commented 2 years ago

Cool! I'll work on that.

immauss commented 2 years ago

Never mind. I worked it out earlier this week, just have not pushed the change yet.

kjake commented 2 years ago

Ah, nice, sorry about that. As I mentioned in my other post, I’ve been on vacation. I’ll make sure to test your changes though.

On Fri, Jul 1, 2022 at 1:24 AM GE Scott Knauss @.***> wrote:

Never mind. I worked it out earlier this week, just have not pushed the change yet.

— Reply to this email directly, view it on GitHub https://github.com/immauss/openvas/issues/120#issuecomment-1171949205, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJ5LNTUCZXZ2UPR4THSTJTVRZ6ILANCNFSM5VMXGL3Q . You are receiving this because you were mentioned.Message ID: @.***>

immauss commented 2 years ago

These changes should be live now with the refresh from yesterday. :)