| Summary: | app-antivirus/clamav: systemd socket permissions prevent group members from connecting | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Olliver Schinagl <oliver> |
| Component: | Current packages | Assignee: | Antivirus Team <antivirus> |
| Status: | CONFIRMED --- | ||
| Severity: | minor | CC: | antivirus, kangie, mjo, net-mail+disabled, proxy-maint |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
|
Description
Olliver Schinagl
2016-05-04 19:55:47 UTC
please paste the output of "stat /run". Gladly, File: ‘/run’ Size: 900 Blocks: 0 IO Block: 4096 directory Device: 13h/19d Inode: 1140 Links: 28 Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2016-05-06 10:57:17.039999946 +0200 Modify: 2016-05-06 16:48:21.102187339 +0200 Change: 2016-05-06 16:48:21.102187339 +0200 Birth: - for completness sake: File: ‘/var/lib/clamav/’ Size: 156 Blocks: 0 IO Block: 4096 directory Device: 25h/37d Inode: 536 Links: 1 Access: (0755/drwxr-xr-x) Uid: ( 104/ clamav) Gid: ( 997/ clamav) Access: 2016-05-01 17:11:34.000000000 +0200 Modify: 2016-05-09 10:00:49.053277956 +0200 Change: 2016-05-09 10:00:49.053277956 +0200 Birth: - which is where i keep my socket for now. File: ‘/var/lib/clamav/clamd.sock’ Size: 0 Blocks: 0 IO Block: 4096 socket Device: 25h/37d Inode: 920397 Links: 1 Access: (0666/srw-rw-rw-) Uid: ( 104/ clamav) Gid: ( 997/ clamav) Access: 2016-05-06 10:57:47.379998898 +0200 Modify: 2016-05-06 10:57:47.379998898 +0200 Change: 2016-05-06 10:57:47.379998898 +0200 Birth: - P.S. Also a directory is made for clamav under /run: File: ‘/run/clamav/’ Size: 80 Blocks: 0 IO Block: 4096 directory Device: 13h/19d Inode: 3045 Links: 2 Access: (0710/drwx--x---) Uid: ( 104/ clamav) Gid: ( 997/ clamav) Access: 2016-05-06 10:57:19.049999877 +0200 Modify: 2016-05-06 10:57:47.399998897 +0200 Change: 2016-05-06 10:57:47.399998897 +0200 Birth: - it won't work for sure if you put it in /tmp because the unit has PrivateTmp=true. you could try stracing amavis or socat UNIX-CONNECT when it's in /run though. Just had the same problem few minutes ago. chmod 755 /var/run/clamav The essential part is that the x bit is set in the directory. (it also works with 711). seems chmod on the /var/run/clamav directory doesn't survive a reboot. Elsewhere it is recommended to make clamav member of the amavis group and amavis member of the clamav group. This doesn't seem to help. This is because the clamav tmpfiles.d entry makes /run/clamav mode 710 every time the machine starts: d /run/clamav 0710 clamav clamav That should probably be 750 instead. Then adding the amavis user to the "clamav" group would allow it to enter that directory and access the socket. It works in OpenRC because the permissions on that directory get adjusted to 755 on-the-fly, but in my opinion, that's a mistake. Assigning to antivirus@ because I think this needs to be fixed in clamav. Please see my previous comment. Most likely, /run/clamav should be mode 750 under both systemd and OpenRC. NOTE: both the tmpfiles.d and OpenRC init script need to be updated, if you believe me. The tmpfiles.d entry makes the permissions too strict (710), and OpenRC leaves them too loose (755). I will have a look at this soon. But what you (@mjo) say seems to make sense. There was a bug in amavis that prevented multiple groups from working correctly: https://gitlab.com/amavis/amavis/-/issues/68 When the next version of amavis is released, we can finally fix these socket permissions and have things Just Work out of the box. |
