[Pkg-clamav-devel] Bug#636881: Milter socket permissions not set properly

Dara Adib daradib at OCF.Berkeley.EDU
Thu Oct 27 14:16:54 UTC 2011 

See my reply to #636877, but basically one either has to make clamav a
member of group postfix or set SOCKET_RWGROUP
in /etc/default/clamav-milter but not in clamav-milter.conf.

>  root at domine:/var/spool/postfix/clamav# grep Milter /etc/clamav/clamav-milter.conf
>  MilterSocket /var/spool/postfix/clamav/clamav-milter.ctl
>  MilterSocketGroup postfix
>  MilterSocketMode 660

clamav needs to be a member of group postfix so that it can set postfix
group ownership for the milter socket.

> s--------- 1 clamav clamav 0 Aug  6 19:20 clamav-milter.ctl

Reproducing this problem, it seems that this is the behavior when
clamav-milter cannot change the socket group ownership. There should be
an error message "Failed to change socket ownership to group postfix"
in syslog.

> This is because the init.d script now does chgrp and chmod g+w, but
> not more.

And it does that as root. It seems the MilterSocket settings in
clamav-milter.conf are applied by default after privileges are dropped,
as clamav by default which can't change group ownership unless it is a
member of the group.

What works for me (besides adding clamav to group postfix, which might
be an extra security risk?):

$ grep Milter /etc/clamav/clamav-milter.conf
MilterSocket /var/spool/postfix/clamav/clamav-milter.ctl
#MilterSocketGroup postfix # handled by /etc/default/clamav-milter
MilterSocketMode 660
$ ls -l
total 0
srw-rw---- 1 clamav postfix 0 Oct 27 07:13 clamav-milter.ctl
$ grep -v ^\# /etc/default/clamav-milter
SOCKET_RWGROUP=postfix
SOCKET_PATH=/var/spool/postfix/clamav/clamav-milter.ctl

Since clamav-milter is started as root anyways and then drops privileges
to user clamav in the default configuration, I would assume that the
socket group ownership as specified in clamav-milter.conf could be
changed earlier on as root, and that this would be the preferred fix
(depending on upstream), obsoleting /etc/default/clamav-milter.

Dara

-- 
OCF: all-volunteer, student-run service group providing
free printing, web hosting, disk space, email, and Unix shell accounts

More information about the Pkg-clamav-devel mailing list