[Pkg-clamav-devel] Bug#1087420: clamav-clamonacc.service lacks --fdpass (or --stream) Option
Alain Knaff
Alain.Knaff at aev.etat.lu
Wed Nov 13 10:21:28 GMT 2024
Package: clamav-daemon
Version: 1.0.5+dfsg-1~deb12u1
Hi,
By default, clamonacc fails to scan any non-publically readable file
with the following error:
File patch check failure: Permission denied. Error
Some research found the following pages about this, which seem to
suggest adding --fdpass (or --stream) to /usr/sbin/clamonacc command
line parameters.
https://github.com/Cisco-Talos/clamav/issues/1050
https://www.securiteinfo.com/clamav-antivirus/fixing-most-common-issues-encountered-with-clamav.shtml
So, clamonacc should be started as follows from
/usr/lib/systemd/system/clamav-clamonacc.service :
ExecStart=/usr/sbin/clamonacc --fdpass -F --log=/var/log/clamav/clamonacc.log --move=/root/quarantine
From what I understood, clamonacc spawns an unprivileged sub process to
perform the actual scanning, and by default the sub process attempts to
open the file to be scanned itself, as an unprivileged user.
--fdpass or --checkpass instead have the (privileged) parent open the
file, and pass the file descriptor to the child, avoiding the issue.
Moreover, the /root/quarantine directory is not created by the install
scripts, leading to an non-function clamonacc, because it has nowhere to
move infected files to.
Thanks,
--
Alain Knaff
Service Informatique
Administration de l'environnement
1, avenue du Rock'n'Roll . L-4361 Esch-sur-Alzette
Tél. (+352) 40 56 56-309
E-Mail Alain.Knaff at aev.etat.lu
www.emwelt.lu | www.gouvernement.lu
More information about the Pkg-clamav-devel
mailing list