[Pkg-clamav-devel] Bug#917648: clamav-freshclam: doesn't properly clean up temporary files, consumes all disk

Witold Baryluk witold.baryluk at gmail.com
Sat Dec 29 20:28:23 GMT 2018 

Package: clamav-freshclam
Followup-For: Bug #917648


Hi,

I didn't even know I had apparmor installed and enabled.

It looks it is by default on Debian, because libgtk or something depends
on apparmor and then it is automatically enabled. Or some package
suggests it and my apt by default probably install suggests or something.
(I mean, I did not explicitly asked apparmor to be installed AFAIK).
There are only few apparmor profiles, so it essentially affects only few
specific programs, like clamav (well it is nice to have it sandboxed of
course), so I never noticed apparmor even present.

I did:

1) aa-disable  /usr/bin/freshclam

2) cleaning all temp files and downloaded cvd files

3) restarting clamav-freshclam

And it works, it updates a database, and removes temporary directory.

Reenableing it (aa-enforce), and restarting, bring old behaviour, even if
all databases are up to date, it creates an empty temporary directory
that is not removed when it finished update process.


Running with aa enabled, and running it manually under strace:

# strace -e 'trace=%file'  /usr/bin/freshclam -d --foreground=true
...
stat("/var/log/clamav/freshclam.log", {st_mode=S_IFREG|0640, st_size=92456, ...}) = 0
openat(AT_FDCWD, "/var/log/clamav/freshclam.log", O_WRONLY|O_CREAT|O_APPEND, 0666) = 3
openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 4
chdir("/var/lib/clamav")                = 0
getcwd("/var/lib/clamav", 512)          = 16
stat("/var/log/clamav/freshclam.log", {st_mode=S_IFREG|0640, st_size=92523, ...}) = 0
mkdir("/var/lib/clamav/clamav-b2d56c174f79ecbf7d1264dd93f6fc1e.tmp", 0755) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
stat("/var/log/clamav/freshclam.log", {st_mode=S_IFREG|0640, st_size=92619, ...}) = 0
Sat Dec 29 20:23:34 2018 -> ClamAV update process started at Sat Dec 29 20:23:34 2018
stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=73, ...}) = 0
openat(AT_FDCWD, "/etc/host.conf", O_RDONLY|O_CLOEXEC) = 4
openat(AT_FDCWD, "/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 4
stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=73, ...}) = 0
openat(AT_FDCWD, "mirrors.dat", O_RDONLY) = 4
access("main.cvd", R_OK)                = 0
access("main.cvd", R_OK)                = 0
openat(AT_FDCWD, "main.cvd", O_RDONLY)  = 4
stat("/var/log/clamav/freshclam.log", {st_mode=S_IFREG|0640, st_size=92705, ...}) = 0
Sat Dec 29 20:23:34 2018 -> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
access("daily.cvd", R_OK)               = 0
access("daily.cvd", R_OK)               = 0
openat(AT_FDCWD, "daily.cvd", O_RDONLY) = 4
stat("/var/log/clamav/freshclam.log", {st_mode=S_IFREG|0640, st_size=92815, ...}) = 0
Sat Dec 29 20:23:34 2018 -> daily.cvd is up to date (version: 25250, sigs: 2193104, f-level: 63, builder: raynman)
access("safebrowsing.cvd", R_OK)        = -1 ENOENT (No such file or directory)
access("safebrowsing.cld", R_OK)        = -1 ENOENT (No such file or directory)
access("bytecode.cvd", R_OK)            = 0
access("bytecode.cvd", R_OK)            = 0
openat(AT_FDCWD, "bytecode.cvd", O_RDONLY) = 4
stat("/var/log/clamav/freshclam.log", {st_mode=S_IFREG|0640, st_size=92930, ...}) = 0
Sat Dec 29 20:23:34 2018 -> bytecode.cvd is up to date (version: 327, sigs: 91, f-level: 63, builder: neo)
openat(AT_FDCWD, "/var/lib/clamav/mirrors.dat", O_WRONLY|O_CREAT|O_TRUNC, 0600) = 4
chmod("/var/lib/clamav/clamav-b2d56c174f79ecbf7d1264dd93f6fc1e.tmp", 0700) = 0
openat(AT_FDCWD, "/var/lib/clamav/clamav-b2d56c174f79ecbf7d1264dd93f6fc1e.tmp", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 EACCES (Permission denied)
stat("/var/log/clamav/freshclam.log", {st_mode=S_IFREG|0640, st_size=93037, ...}) = 0


No idea why it does a 'stat' of the log all the time (maybe log rotation
functionality), because it is in append mode, so it shouldn't be doing
this maybe.


Anyhow, you can see

openat(AT_FDCWD, "/var/lib/clamav/clamav-b2d56c174f79ecbf7d1264dd93f6fc1e.tmp", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY)

fails with permission denied message.

However, it doesn't even attempt to remove the directory in the case of
an error. That is a bug in the freshclam, not apparmor profile. (The
removal might still fail due to apparmor or other issues, like broken
file system, nfs mount, etc, but it does change the fact that clamav
should attempt to clean files and directory even on failure, and if it fails
to remove, emit a log message).



Permissions, owner and chown looks as expected and good:

drwx------ 2 clamav clamav        40 Dec 29 20:23 clamav-b2d56c174f79ecbf7d1264dd93f6fc1e.tmp


Regards,
Witold


-- Package-specific info:
--- configuration ---
# Automatically created by the clamav-freshclam postinst
# Comments will get lost when you reconfigure the clamav-freshclam package

DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 30
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
SafeBrowsing false
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net

--- data dir ---
total 167496
-rw-r--r-- 1 clamav clamav    187426 Dec 25 23:37 bytecode.cvd
drwx------ 3 clamav clamav        60 Dec 29 18:52 clamav-328e85124dfde381c94634ab186d9a74.tmp
drwx------ 3 clamav clamav        60 Dec 29 20:10 clamav-e4b5cfcec00bff7bbfb392c357acf318.tmp
-rw-r--r-- 1 clamav clamav  53424829 Dec 25 23:37 daily.cvd
-rw-r--r-- 1 clamav clamav 117892267 Dec 25 23:37 main.cvd
-rw------- 1 clamav clamav       520 Dec 29 20:10 mirrors.dat

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.18.0-2-amd64 (SMP w/32 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages clamav-freshclam depends on:
ii  clamav-base            0.100.2+dfsg-2
ii  debconf [debconf-2.0]  1.5.69
ii  dpkg                   1.19.2
ii  libc6                  2.28-2
ii  libclamav7             0.100.2+dfsg-1
ii  libssl1.1              1.1.1-2
ii  logrotate              3.14.0-4
ii  lsb-base               9.20170808
ii  procps                 2:3.3.15-2
ii  ucf                    3.0038
ii  zlib1g                 1:1.2.11.dfsg-1

clamav-freshclam recommends no packages.

Versions of packages clamav-freshclam suggests:
ii  apparmor     2.13.1-3+b1
pn  clamav-docs  <none>

-- debconf information:
  clamav-freshclam/internet_interface:
  clamav-freshclam/proxy_user:
  clamav-freshclam/update_interval: 24
  clamav-freshclam/PrivateMirror:
  clamav-freshclam/local_mirror: db.local.clamav.net
  clamav-freshclam/NotifyClamd: true
  clamav-freshclam/autoupdate_freshclam: daemon
  clamav-freshclam/Bytecode: true
  clamav-freshclam/http_proxy:
  clamav-freshclam/SafeBrowsing: false
  clamav-freshclam/LogRotate: true

More information about the Pkg-clamav-devel mailing list