[Pkg-clamav-devel] Bug#822444: Solved

[Xavier Quost]

Hello Sebastian

 
> A lot of the stuff in clamav-daemon is legacy stuff and solved in
> systemd differently. To give an example:
> - we pass `-c /etc/clamav/clamd.conf' in the non-systemd case. But this
>   is the default settings so we could drop it. Therefore it makes no
>   difference if you pass this in systemd case or not (nothing changes).
> - In the systemv case we start the daemon via start-stop-daemon and pass
>   the user from the config as an argument. We could however start clamd
>   as root and let the daemon itself change the user to whatever is
>   selected in clamd.conf. This is what happens in the systemd case.Solvede

Thanks, so no use to specify configuration file in systemd clamav-daemon.service
 
> I installed clamsmtp and been looking a little around and I think I
> found the problem: You clamd.conf says
> 	AllowSupplementaryGroups disabled
> but clamsmtp adds the group clamsmtp to the clamav user:
> # id clamav
> uid=108(clamav) gid=113(clamav) groups=113(clamav),114(clamsmtp)
> 
> With this option set to disabled / false clamav has only access to the
> clamav user+group. I think if you revert your changes and instead set
> true here (to AllowSupplementaryGroups) then it should work again. I
> *think* systemd + start-stop-daemon do this by default and that is why
> we did not notice this before.
> Could you please check if this change works for you?

Yes it solves the problem.
Sorry for not having look further than user in clamd.conf configuration file.


remarks : 
(1) I have made no editing of clamd.conf file (but still not an excuse for not checking this file). It's a file resulting (not provided by) from installation of clamav-daemon package.
(2) It seems that starting clamd by sysinit does not enforce right permissions (<joke>  shall I open a bug report for that ?  </joke>).
(3) are not AllowSupplementaryGroups and LocalSocketMode somehow contradictory ?


Best regards
XQ