I recently upgraded openrc to the latest stable version (0.11.5). Previously /var/run/clamav did not have group write permissions (drwxr-xr-x), but since I upgraded openrc it is group writable (drwxrwxr-x). When I reboot it now reverts to being group writable. As a consequence sendmail refuses to start: # /usr/sbin/sendmail -bd -q30m -L sm-mta 451 4.0.0 /etc/mail/sendmail.cf: line 1758: Xclmilter: local socket name /var/run/clamav/clamav-milter.sock unsafe: Group writable directory Reproducible: Always Steps to Reproduce: 1. Upgrade openrc to 0.11.5 2. Reboot 3. Start sendmail with INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/clamav/clamav-milter.sock,F=, T=S:4m;R:4m')dnl option Actual Results: # /usr/sbin/sendmail -bd -q30m -L sm-mta 451 4.0.0 /etc/mail/sendmail.cf: line 1758: Xclmilter: local socket name /var/run/clamav/clamav-milter.sock unsafe: Group writable directory Suggest the following is added to the init script on line 38: Change: checkpath --quiet \ --owner $(get_config clamd User clamav):root \ --directory `dirname ${clamd_socket}` to checkpath --quiet \ --mode 755 --owner $(get_config clamd User clamav):root \ --directory `dirname ${clamd_socket}`
1. Which version of clamav are you using? 2. When did you emerge clamav (eix clamav)? 3. Are you sure you have only changed openrc and have not changed clamav?
(In reply to comment #1) > 1. Which version of clamav are you using? > 2. When did you emerge clamav (eix clamav)? > 3. Are you sure you have only changed openrc and have not changed clamav? 1. clamav is the latest stable version: 0.97.5-r1 2. $ eix clamav -I [I] app-antivirus/clamav Available versions: 0.97.3^t ~0.97.4^t ~0.97.5^t 0.97.5-r1^t ~0.97.6^t {{bzip2 clamdtop iconv ipv6 milter selinux static-libs}} Installed versions: 0.97.5-r1^t(08:23:00 18/08/12)(bzip2 iconv milter -clamdtop -ipv6 -selinux -static-libs) Homepage: http://www.clamav.net/ Description: Clam Anti-Virus Scanner 3. Yes The init script comes from /usr/portage/app-antivirus/clamav/files/clamd.initd and contains the following: checkpath --quiet \ --owner $(get_config clamd User clamav):root \ --directory `dirname ${clamd_socket}` I suspect that openrc creates an empty /run directory and this init script creates the directory for the clamav socket, as set out in the default /etc/clamd.conf (which contains: LocalSocket /var/run/clamav/clamd.sock), with group writable permissions.
I am assigning this to the klamav maintainers since the issue is with their init script. The issue is /var/run is now linked to /run, and their init script needs to create the subdirectory correctly as pointed out in the above comments. If the daemon itself creates the directory, you will want to be sure it creates the directory with the correct permissions. Otherwise, the init script should use checkpath to do so. Thanks, William
+*clamav-0.97.6-r1 (06 Dec 2012) + + 06 Dec 2012; Eray Aslan <eras@gentoo.org> +clamav-0.97.6-r1.ebuild, + +files/clamd.initd-r1: + Fix run directory permissions - bug #444766. Fix building on uclibc - bug + #317635 +