[Pkg-clamav-devel] Bug#522106: clamav-daemon: Doesn't start with anal permissions on /root

Richard A Nelson cowboy at debian.org
Tue Mar 31 20:08:25 UTC 2009 

Package: clamav-daemon
Version: 0.95+dfsg-1
Severity: normal

I'm getting the followin on most of my centrally managed machines,
where policy has been that no one can peruse /root and cfengine
enforces that policy (so the bypass below is only temporary).

It seems odd to su <user> (shouldn't that really be su - <user>) and
then invoke start-stop-daemon - which has its own chuid argument.

Or, I guess the cheap solutino would be to:
	cd "$DataBaseDirectory" -- or $(dirname "$SUPERVISORPIDFILE")
before the startup

---------------------------------------------------------------------------

# ls -ld /root
drwx--S---. 29 root root 3072 Mar 31 19:50 /root/

# /etc/init.d/clamav-daemon restart
Stopping ClamAV daemon: clamd Waiting .  .  .  .  .  .  .  .  .  . .
Starting ClamAV daemon: clamd /sbin/start-stop-daemon: Unable to chdir() to /root (Permission denied)
 failed!

# chmod go+x /root
/etc/init.d/clamav-daemon restart
Stopping ClamAV daemon: clamd.
Starting ClamAV daemon: clamd .

---------------------------------------------------------------------------
-- Package-specific info:
--- configuration ---
ClamAV engine version: 0.95
Checking configuration files in /etc/clamav

Config file: clamd.conf
-----------------------
LogFile = "/var/log/clamav/clamav.log"
LogFileUnlock disabled
LogFileMaxSize disabled
LogTime = "yes"
LogClean disabled
LogVerbose disabled
LogSyslog = "yes"
LogFacility = "LOG_LOCAL6"
PidFile = "/var/run/clamav/clamd.pid"
TemporaryDirectory = "/tmp"
DatabaseDirectory = "/var/lib/clamav"
LocalSocket = "/var/run/clamav/clamd.ctl"
FixStaleSocket = "yes"
TCPSocket disabled
TCPAddr disabled
MaxConnectionQueueLength = "15"
StreamMaxLength = "10485760"
StreamMinPort = "1024"
StreamMaxPort = "2048"
MaxThreads = "12"
ReadTimeout = "180"
CommandReadTimeout = "5"
SendBufTimeout = "500"
MaxQueue = "100"
IdleTimeout = "30"
ExcludePath disabled
MaxDirectoryRecursion = "15"
FollowDirectorySymlinks disabled
FollowFileSymlinks disabled
SelfCheck = "3600"
VirusEvent disabled
ExitOnOOM disabled
Foreground disabled
Debug disabled
LeaveTemporaryFiles disabled
User = "clamav"
AllowSupplementaryGroups = "yes"
DetectPUA disabled
ExcludePUA disabled
IncludePUA disabled
AlgorithmicDetection = "yes"
ScanPE = "yes"
ScanELF = "yes"
DetectBrokenExecutables disabled
ScanMail = "yes"
MailFollowURLs disabled
ScanPartialMessages disabled
PhishingSignatures = "yes"
PhishingScanURLs = "yes"
PhishingAlwaysBlockCloak disabled
PhishingAlwaysBlockSSLMismatch disabled
HeuristicScanPrecedence disabled
StructuredDataDetection disabled
StructuredMinCreditCardCount = "3"
StructuredMinSSNCount = "3"
StructuredSSNFormatNormal = "yes"
StructuredSSNFormatStripped disabled
ScanHTML = "yes"
ScanOLE2 = "yes"
ScanPDF = "yes"
ScanArchive = "yes"
ArchiveBlockEncrypted disabled
MaxScanSize = "104857600"
MaxFileSize = "26214400"
MaxRecursion = "16"
MaxFiles = "10000"
ClamukoScanOnAccess disabled
ClamukoScanOnOpen disabled
ClamukoScanOnClose disabled
ClamukoScanOnExec disabled
ClamukoIncludePath disabled
ClamukoExcludePath disabled
ClamukoMaxFileSize = "5242880"
DevACOnly disabled
DevACDepth disabled

Config file: freshclam.conf
---------------------------
LogFileMaxSize disabled
LogTime disabled
LogVerbose disabled
LogSyslog disabled
LogFacility = "LOG_LOCAL6"
PidFile = "/var/run/clamav/freshclam.pid"
DatabaseDirectory = "/var/lib/clamav/"
Foreground disabled
Debug disabled
AllowSupplementaryGroups disabled
UpdateLogFile = "/var/log/clamav/freshclam.log"
DatabaseOwner = "clamav"
Checks = "24"
DNSDatabaseInfo = "current.cvd.clamav.net"
DatabaseMirror = "db.local.clamav.net", "database.clamav.net"
MaxAttempts = "5"
ScriptedUpdates = "yes"
CompressLocalDatabase disabled
HTTPProxyServer disabled
HTTPProxyPort disabled
HTTPProxyUsername disabled
HTTPProxyPassword disabled
HTTPUserAgent disabled
NotifyClamd = "/etc/clamav/clamd.conf"
OnUpdateExecute disabled
OnErrorExecute disabled
OnOutdatedExecute disabled
LocalIPAddress disabled
ConnectTimeout = "30"
ReceiveTimeout = "30"
SubmitDetectionStats disabled
DetectionStatsCountry disabled
SafeBrowsing disabled

clamav-milter.conf not found

--- data dir ---
total 62128
-rw-r--r--  1 clamav clamav     3973 Mar 30 18:50 MSRBL-Images.hdb
-rw-r--r--. 1 clamav clamav   243578 Mar 18 11:03 MSRBL-SPAM.ndb
-rw-r--r--  1 clamav clamav  2378240 Mar 31 15:39 daily.cld
-rw-r--r--. 1 clamav clamav    31906 Jan 22 06:27 honeynet.hdb
-rw-r--r--. 1 clamav clamav     9484 Jan 21 11:10 honeynet.hdb.gz
-rw-r--r--. 1 clamav clamav   747581 Nov  6 06:30 junk.ndb
-rw-r--r--. 1 clamav clamav   130167 Nov  5 18:56 junk.ndb.gz
-rw-r--r--. 1 clamav clamav 44391424 Feb 15 22:52 main.cld
-rw-r--r--  1 clamav clamav    99405 Mar 31 06:26 mbl.db
-rw-------. 1 clamav clamav      780 Mar 31 19:39 mirrors.dat
-rw-r--r--. 1 clamav clamav  1676397 Nov  6 06:30 phish.ndb
-rw-r--r--. 1 clamav clamav   270749 Nov  5 18:56 phish.ndb.gz
-rw-r--r--. 1 clamav clamav    22183 Nov  6 06:30 rogue.hdb
-rw-r--r--. 1 clamav clamav     9017 Nov  5 18:56 rogue.hdb.gz
-rw-r--r--. 1 clamav clamav  1373515 Nov  6 06:31 scam.ndb
-rw-r--r--. 1 clamav clamav   271560 Nov  5 18:56 scam.ndb.gz
-rw-r--r--. 1 clamav clamav  7451460 Mar 14 06:26 securiteinfo.hdb
-rw-r--r--. 1 clamav clamav  3012029 Mar 13 10:53 securiteinfo.hdb.gz
-rw-r--r--. 1 clamav clamav   109076 Oct  7 06:25 submit_action_list_clamav
-rw-r--r--  1 clamav clamav    24365 Mar 31 06:26 submit_action_list_clamav.gz
-rw-r--r--. 1 clamav clamav   805365 Jun 11  2008 vx.hdb
-rw-r--r--. 1 clamav clamav   321464 Jun 10  2008 vx.hdb.gz

-- System Information:
Debian Release: squeeze-sid
  APT prefers testing-proposed-updates
  APT policy: (500, 'testing-proposed-updates'), (500, 'proposed-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.29 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages clamav-daemon depends on:
ii  clamav-base            0.95+dfsg-1       anti-virus utility for Unix - base
ii  clamav-freshclam [clam 0.95+dfsg-1       anti-virus utility for Unix - viru
ii  libbz2-1.0             1.0.5-1           high-quality block-sorting file co
ii  libc6                  2.9-6             GNU C Library: Shared libraries
ii  libclamav6             0.95+dfsg-1       anti-virus utility for Unix - libr
ii  libltdl3               1.5.26-4          A system independent dlopen wrappe
ii  libtommath0            0.39-3            multiple-precision integer library
ii  lsb-base               3.2-22            Linux Standard Base 3.2 init scrip
ii  ucf                    3.0018            Update Configuration File: preserv
ii  zlib1g                 1:1.2.3.3.dfsg-13 compression library - runtime

clamav-daemon recommends no packages.

Versions of packages clamav-daemon suggests:
ii  clamav-docs                  0.95+dfsg-1 anti-virus utility for Unix - docu
pn  daemon                       <none>      (no description available)

-- no debconf information

More information about the Pkg-clamav-devel mailing list