After installation or upgrade the socket directory /run/clamav has the permissions 0711 instead of 0755. This makes it impossible for any other program (e.g. Rspamd) to connect to the socket /run/clamav/clamd.ctl inside that directory, although the the client is a member of the clamav group as the group has no permission to read the directory. The correct permission should be 0755. Note, the permissions on the socket file itself are fine and are set by the clamd daemon itself when the daemon starts according to the daemon's configuration file. Reproducible: Always Steps to Reproduce: 1. (Re-)Emerge app-antivirus/clamav 2. /run/clamav has permissions 0711 Actual Results: /run/clamav has permissions 0711 Expected Results: /run/clamav should have permissions 0777
The execute bit on a directory allows files within the directory to be accessed. The read bit on a directory allows files within the directory to be listed. I don't see any obvious reason random programs would need to list the contents of /run/clamav. Mode 0711 should suffice.
I haven't looked into the implementation of rspamd, but fact is that rspamd cannot connect to clamav, if the directory permissions are 0711. The issue vanishes, if the permissions are set to 0755 manually. Currently, I fix this issue by remembering to change the permissions after an (re-)emerge of clamav. Maybe, rspamd first tries to open the directory for reading, I don't know. You could call this a bug on rspamd side, but this would have to fixed upstream by rspamd while the directory permissions are something which Gentoo can fix itself. Also, there is nothing inside the directory which isn't public information. Hence, 0755 should be fine, too. Moreover, 0755 would be more consistent with all the other directories below /run/ which store daemon sockets. Currently,.clamav is the only package (at least the only package I have installed) which uses an overly restricted 0711 for its directory. All other services which create directories with sockets (PHP FPM, rspamd, PostgeSQL, Postfix, Dovecot, ...) also use 0755 for their directory. I guess 0755 is so usual that this is the only case which gets enough upstream attention and becomes tested. 0711 is causing problems and probably will continue to cause problems, if it isn't used widespread.
No objection from me, the OpenRC service scripts are using 755.
After installing app-antivirus/clamav-1.2.1, /run/clamav looks like this: drwx--x--- 2 clamav clamav 40 Jan 9 11:21 /run/clamav That is mode 0710, not 0711. That's a big difference, and it would explain why rspamd is unable to access the socket. That mode appears to come from the tmpfiles.d entry: % cat /usr/lib/tmpfiles.d/clamav.conf d /run/clamav 0710 clamav clamav This tmpfiles entry should probably be updated with a more permissive mode.
The 710 was probably reasonable at the time. The "standard" advice from random how-to pages on the internet was to add your mail filter to the clamav group or vice-versa to ensure that e.g. clamd (running as clamav) could access the files that the mail filter (running as e.g. amavis) is trying to scan. If you do that, then mode 0710 will suffice. But, a better approach (especially when it comes to distro packaging) is to run "clamd --fdpass" from the mail filter. That uses a standard UNIX trick that allows clamd to read the mail filter's files via their descriptors. With that, anyone can scan any file that he can read, and there's no need to mess with the users and groups on your system. You do however need to be able to traverse /run/clamav as an unprivileged user to write to the socket. Regardless of what rspamd is doing, the default in amavisd is now to use --fdpass, and the wiki says not to mess with the users/groups. For that to work on systemd, /run/clamav should be world-traversable.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=873ea574ea7e050bd7f1a7d4297528d3b2e5592e commit 873ea574ea7e050bd7f1a7d4297528d3b2e5592e Author: Michael Orlitzky <mjo@gentoo.org> AuthorDate: 2024-01-16 01:14:32 +0000 Commit: Michael Orlitzky <mjo@gentoo.org> CommitDate: 2024-01-16 01:35:10 +0000 app-antivirus/clamav: fix LTS socket permissions under systemd Bug: https://bugs.gentoo.org/921617 Signed-off-by: Michael Orlitzky <mjo@gentoo.org> .../{clamav-0.103.11.ebuild => clamav-0.103.11-r1.ebuild} | 11 ++++------- app-antivirus/clamav/files/tmpfiles.d/clamav-r1.conf | 1 + 2 files changed, 5 insertions(+), 7 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=89533ae52db8767ae8b0306c6f91b1f015fa71d0 commit 89533ae52db8767ae8b0306c6f91b1f015fa71d0 Author: Matt Jolly <kangie@gentoo.org> AuthorDate: 2024-06-29 08:14:03 +0000 Commit: Matt Jolly <kangie@gentoo.org> CommitDate: 2024-06-29 08:33:18 +0000 app-antivirus/clamav: update tmpfiles configuration The previous configuration was overly strict, making it impossible for appliations to connect to the socket. Historically this was not an issue as guidance was to just add these other apps to the clamav group, but this is no longer the case. Bug: https://bugs.gentoo.org/921617 Signed-off-by: Matt Jolly <kangie@gentoo.org> app-antivirus/clamav/clamav-1.0.5.ebuild | 10 ++-------- .../{clamav-1.3.1-r1.ebuild => clamav-1.3.1-r2.ebuild} | 14 +++++--------- 2 files changed, 7 insertions(+), 17 deletions(-)
