Re: Greenbone Source Edition Docs
Hi,
Le 05/07/2021 à 13:14, Björn Ricks a écrit :
Hi,
after a long journey I could finally release a first version of a "build
from source" guide at https://greenbone.github.io/docs/
It includes an installation procedure and setup on how we currently
think our software stack should be deployed in a multi user setup. Feel
free to ask questions and provide feedback!
I read the documentation and it's very detailed and clear. Thanks!
Wherever possible I tried to be as close to the current Debian packages
from https://salsa.debian.org/pkg-security-team/ During writing the
guide it has become obvious that several defaults on our side didn't
make sense. Therefore I've changes a lot of default paths and also the
systemd service files. These changes will be included in the next bugfix
releases.
OK noted.
While writing the documentation some questions came up
* Why do you use sudo runuser instead of sudo -u directly?
We use runuser in the script because runuser is part of the package
util-linux which is always installed (Essential: yes, so doesn't require a
dependency). It also has a lighter PAM configuration than su or sudo.
In practice, we use "runuser" in a root context to switch to a different
user. But "sudo runuser" has no real advantage to "sudo -u" AFAIK.
* Is it safe or even allowed in Debian to use suid/sgid bits with
specific owner and group?
It's allowed to use suid/sgid bits. But when it's used with dynamic user
and groups it must be manually changed after the installation (in postinst
for Debian with dpkg-statoverride)
* Should /run be used directly or via /var/run indirectly?
I think we should use /run directly. It's the correct location.
The /var/run was used before but now it exists to ensure compatibility
with systems still using /var/run.
* When to use /usr/sbin and /usr/bin?
According to Debian policy fhs: /usr/sbin "contains any non-essential
binaries used exclusively by the system administrator". So it contains the
scripts that require root access. /usr/bin contains "most user commands.
This is the primary directory of executable commands on the system."
In practice, it's not a big issue if you put everything in /usr/bin/.
In the meeting with Raphael I talked about offline node modules
installation by using the provided tarballs (for example
https://github.com/greenbone/gsa/releases/download/v21.4.1/gsa-node-modules-21.4.1.tar.gz)
and the yarn offline mode
(https://github.com/greenbone/gsa/blob/gsa-21.04/gsa/CMakeLists.txt#L67). Sadly
this doesn't work as expected because yarn includes specific metadata
into the node_modules directory (.yarn-integrity file) that depends on
the platform and nodejs version. It would be possible to patch that file
for the correct platform and nodejs version but I am not sure if it is
worth the effort.
I didn't test the build offline with the provided tarballs. If it doesn't
work as expected and the changes are too complicated, I don't think it is
worth the effort either.
[...]
* We stripped the binary postgres parts into an own library at
https://github.com/greenbone/pg-gvm This library is installed in a
postgres versioned path for example /usr/lib/postgresql/13/lib.
Therefore it should be possible to build and install the library for
different postgres versions.
It will help us to handle the postgresql version issues.
* The scanner architecture will change (again) to useq MQTT message
queue (paho-mqtt). Additionally at least one new component will be added
written in golang (https://github.com/greenbone/eulabeia). It could be
possible that the ospd part will not be needed anymore.
* GSA (the web application) and gsad (the web server) will be split into
two separate repositories. This should have been done from the beginning
but currently creates serious issues for the automatic releases.
* We will release bugfix versions at least every month
* After the 21.10 release the next 1.5 to 2 years we will only ship
minor changes even in major releases
Thank for all these informations.
Regards
Sophie
Reply to: