Mailing List Archive: ClamAV: users

clamd socket permissions

Index | Next | Previous | View Threaded

bob at computerisms

Jul 30, 2013, 11:18 AM

Post #1 of 22 (177 views)
Permalink

clamd socket permissions

Hello,

I am trying to trace the reasoning behind behaviour I don't understand
with regard to permissions on the clamd.socket and simscan.

My clamav runs under daemontools. I am keeping my clamd.socket in /tmp.
My problem is *not with clamav being able to access files in the simscan
directory, that works just fine.

For the sake of testing this phenomenon, I have simscan in the clamav
group and clamav in the simscan group:

id simscan
uid=513(simscan) gid=513(simscan) groups=513(simscan),512(clamav)

id clamav
uid=512(clamav) gid=512(clamav) groups=512(clamav),513(simscan)

Consider the following 7 permissions scenarios on the clamav socket:

1:
srw-rw---- 1 clamav simscan 0 Jul 29 10:04 clamd.socket
-svc -t /service/clamd: Socket file removed.
-simscan: clamdscan: ERROR: Can't connect to clamd: Permission denied

2:
srw-rw---- 1 simscan clamav 0 Jul 29 10:04 clamd.socket
-svc -t /service/clamd: ERROR: Can't unlink the socket
file /tmp/clamd.socket
-simscan successfully scans the test message

3:
s---rw---- 1 clamav simscan 0 Jul 29 10:04 clamd.socket
-svc -t /service/clamd: Socket file removed.
-simscan test message: ERROR: Can't connect to clamd: Permission denied

4:
s---rw---- 1 simscan clamav 0 Jul 29 10:04 clamd.socket
-svc -t /service/clamd: ERROR: Can't unlink the socket
file /tmp/clamd.socket
-simscan test: ERROR: Can't connect to clamd: Permission denied

5:
s------rw- 1 root root 0 Jul 29 10:04 clamd.socket
-svc -t /service/clamd: ERROR: LOCAL: Socket file /tmp/clamd.socket
could not be removed: Operation not permitted
-simscan test: ERROR: Can't connect to clamd: Permission denied

6:
s------rw- 1 clamav simscan 0 Jul 29 10:04 clamd.socket
-svc -t /service/clamd: Socket file removed.
-simscan test: scans successfully

7:
s------rw- 1 simscan clamav 0 Jul 29 10:25 clamd.socket
-svc -t /service/clamd: ERROR: Can't unlink the socket
file /tmp/clamd.socket
-simscan test: ERROR: Can't connect to clamd: Permission denied

In the above scenarios, I don't understand:

-If the clamav group has rw on the socket, why does svc -t only work
when clamav is the owner.
-How can the clamav user apparently have access to the socket without rw
(#3)?
-Conversely, why is the same true of simscan user - why can it scan as a
user with rw, but not as a group with rw (except in #6)?
-How can clamav successfully scan as user without rw, while simscan user
needs rw to connect (#3/#4)
-How can #6 work, when #5 and #7 do not? don't world perms let anybody
connect, regardless of owner/group?

The way I see it, because of the group rw, I think scenario #1 should
work to let both simscan scan and daemontools to restart clamd. As
should #2. I also think, because of the world rw, scenarios #5 and #7
should work for both services as well as #6 does. I think in scenario
#3 the results should be opposite to what they are, and in scenario #4,
I think clamav should successfully restart. Somehow I ended up in
opposite land.

I also think there should be a way to let both clamav and simscan
connect to the clamd.socket without world permissions. But nothing I
try seems to work like I think it should. I even tried putting simscan
and clamav users into a new group and owning the socket to that group,
but the results were equally underwhelming.

What is happening is completely contrary to what I think I know should
be happening. As best as I can tell, user/group rw permission on the
clamd.socket are being ignored. It seems to matter more who owns the
socket than whether that owner has rw perms on it.

Surely there is some documentation that would explain this discrepancy,
but I have spent a good deal of time on google over the last few days
and not found it. Would anybody be able to point me at such
documentation, or offer explanation to clear my confusion?

Thanks for any thoughts you wish to share...

--
Computerisms
Bob Miller
867-334-7117 / 867-633-3760
http://computerisms.ca

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

clamav at jubileegroup

Jul 31, 2013, 3:38 AM

Post #2 of 22 (171 views)
Permalink

Re: clamd socket permissions [In reply to]

Hi there,

On Wed, 31 Jul 2013, Bob Miller wrote:

> Thanks for any thoughts you wish to share...

Set the owner of the socket to root, and then repeat your tests.

--

73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

bob at computerisms

Jul 31, 2013, 10:27 AM

Post #3 of 22 (169 views)
Permalink

Re: clamd socket permissions [In reply to]

Thank you very much for taking the time to respond. It is truly
appreciated...

I was able to make your suggestion work by removing the following two
lines from clamd.conf:

User clamav
LocalSocketGroup simscan

which creates the socket thusly:

srw-rw---- 1 root root 0 Jul 31 10:04 clamd.socket

This way clamd runs as root, daemontools can restart clamd, and simscan
can scan the test message. It works, but I am not really liking the
idea of running clamd as root. Seems to me that that has as many risk
variables as giving world perms to a non-root process (which didn't
really work as expected anyway).

So is this to say that it is not possible to run clamav under a non-root
user if you want to grant group access to the socket? I can
see/understand why using root works (and thank you again for showing it
to me), but I still fail to understand the cause behind my previous
observations that group permissions do not seem to work on the socket?

--
Computerisms
Bob Miller
867-334-7117 / 867-633-3760
http://computerisms.ca

On Wed, 2013-07-31 at 11:38 +0100, G.W. Haywood wrote:
> Hi there,
>
> On Wed, 31 Jul 2013, Bob Miller wrote:
>
> > Thanks for any thoughts you wish to share...
>
> Set the owner of the socket to root, and then repeat your tests.
>
> --
>
> 73,
> Ged.
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

dennispe at inetnw

Jul 31, 2013, 10:36 AM

Post #4 of 22 (169 views)
Permalink

Re: clamd socket permissions [In reply to]

Running clamd as root is probably a bad idea but I can imagine a lot of
debate I'm not interested in rising from that statement. It is not
something I would do. When I hit this problem of allowing clamd and my
milters to share that and other sockets I put them all in the same
UID/GID (not root). I've not been able to find a downside, and
everything works happily together. That doesn't mean one doesn't exist,
but after close to 10 years of running this way on dozens of systems no
problems have been revealed.

Top posting from Seattle...

dp

On 7/31/13 10:27:26AM, Bob Miller wrote:
> Thank you very much for taking the time to respond. It is truly
> appreciated...
>
> I was able to make your suggestion work by removing the following two
> lines from clamd.conf:
>
> User clamav
> LocalSocketGroup simscan
>
> which creates the socket thusly:
>
> srw-rw---- 1 root root 0 Jul 31 10:04 clamd.socket
>
> This way clamd runs as root, daemontools can restart clamd, and simscan
> can scan the test message. It works, but I am not really liking the
> idea of running clamd as root. Seems to me that that has as many risk
> variables as giving world perms to a non-root process (which didn't
> really work as expected anyway).
>
> So is this to say that it is not possible to run clamav under a non-root
> user if you want to grant group access to the socket? I can
> see/understand why using root works (and thank you again for showing it
> to me), but I still fail to understand the cause behind my previous
> observations that group permissions do not seem to work on the socket?
>
>
>

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

bob at computerisms

Jul 31, 2013, 1:22 PM

Post #5 of 22 (168 views)
Permalink

Re: clamd socket permissions [In reply to]

Hi Dennis,

Many thanks for the time you took to reply. Though I have had any
epiphanies yet, talking the situation over definitely helps...

> Running clamd as root is probably a bad idea but I can imagine a lot of
> debate I'm not interested in rising from that statement.

If I understand this statement correctly there is a camp of clamav users
who think it is best to run it as root? That is somewhat unexpected. I
never seriously considered it before it was suggested prior in this
thread, but I am putting some thought to it now...

> It is not
> something I would do. When I hit this problem of allowing clamd and my
> milters to share that and other sockets I put them all in the same
> UID/GID (not root).

so as an example you run your clamd and your milter processes all under
the clamav user? To apply that to my situation, I would then run
simscan and clamd using the same uid. that is a novel idea, I will have
to think on what that involves...

When you set your system up like this, does your clamd socket have world
rw on it? Do you have any processes that access the socket via their
group permissions, or only via their user permissions?

> Top posting from Seattle...

I realize seeing this that the list rules are not to top post, yet my
very first reply to this list that is exactly what I did. I make
apologies; it is a damned hard habit to break...

>
> dp
>
> On 7/31/13 10:27:26AM, Bob Miller wrote:
> > Thank you very much for taking the time to respond. It is truly
> > appreciated...
> >
> > I was able to make your suggestion work by removing the following two
> > lines from clamd.conf:
> >
> > User clamav
> > LocalSocketGroup simscan
> >
> > which creates the socket thusly:
> >
> > srw-rw---- 1 root root 0 Jul 31 10:04 clamd.socket
> >
> > This way clamd runs as root, daemontools can restart clamd, and simscan
> > can scan the test message. It works, but I am not really liking the
> > idea of running clamd as root. Seems to me that that has as many risk
> > variables as giving world perms to a non-root process (which didn't
> > really work as expected anyway).
> >
> > So is this to say that it is not possible to run clamav under a non-root
> > user if you want to grant group access to the socket? I can
> > see/understand why using root works (and thank you again for showing it
> > to me), but I still fail to understand the cause behind my previous
> > observations that group permissions do not seem to work on the socket?
> >
> >
> >
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

alvarnell at mac

Jul 31, 2013, 5:33 PM

Post #6 of 22 (163 views)
Permalink

Re: clamd socket permissions [In reply to]

On Jul 31, 2013, at 1:22 PM, Bob Miller <bob [at] computerisms> wrote:
>
> I realize seeing this that the list rules are not to top post, yet my
> very first reply to this list that is exactly what I did.

What list rules would that be?

-Al-
--
Al Varnell
Mountain View, CA

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

bob at computerisms

Jul 31, 2013, 7:31 PM

Post #7 of 22 (162 views)
Permalink

Re: clamd socket permissions [In reply to]

Hello,

> > I realize seeing this that the list rules are not to top post, yet my
> > very first reply to this list that is exactly what I did.
>
> What list rules would that be?
>
>
> -Al-

This is the content of the mail I received upon having my subscription
to this list approved, the last entry say no top-posting:

Welcome to the clamav-users [at] lists mailing list! DO NOT SEND
VIRUS SAMPLES HERE!!! Send them through our web interface at
http://www.clamav.net/sendvirus

Please be polite when you ask for help and always READ THE LIST
ARCHIVES AND THE FAQ BEFORE ASKING. You can find them at
http://www.clamav.net/support/ml , http://www.clamav.net/support/faq
and http://wiki.clamav.net

Rules: - Do NOT top-post (see http://wiki.clamav.net/Main/TopPost) -
Do NOT quote everything - Do NOT send HTML mails

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

alvarnell at mac

Jul 31, 2013, 8:44 PM

Post #8 of 22 (162 views)
Permalink

Re: clamd socket permissions [In reply to]

On Jul 31, 2013, at 7:31 PM, Bob Miller <bob [at] computerisms> wrote:

> Hello,
>
>>> I realize seeing this that the list rules are not to top post, yet my
>>> very first reply to this list that is exactly what I did.
>>
>> What list rules would that be?
>>
>>
>> -Al-
>
> This is the content of the mail I received upon having my subscription
> to this list approved, the last entry say no top-posting:
>
> Welcome to the clamav-users [at] lists mailing list! DO NOT SEND
> VIRUS SAMPLES HERE!!! Send them through our web interface at
> http://www.clamav.net/sendvirus
>
> Please be polite when you ask for help and always READ THE LIST
> ARCHIVES AND THE FAQ BEFORE ASKING. You can find them at
> http://www.clamav.net/support/ml , http://www.clamav.net/support/faq
> and http://wiki.clamav.net
>
> Rules: - Do NOT top-post (see http://wiki.clamav.net/Main/TopPost) -
> Do NOT quote everything - Do NOT send HTML mails

Thanks, I looked around, but seem to have misplaced mine.

The wiki has been demolished and the list is under mostly new management now, so I don't really know what applies any more.

Now that iOS mail only does top posting, it's become a real PITA to first remember which lists care and then moving the sig when your done.

Sent from Janet's iPad

Al
--
Al Varnell
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

clamav at jubileegroup

Aug 1, 2013, 3:11 AM

Post #9 of 22 (160 views)
Permalink

Re: clamd socket permissions [In reply to]

Hi there,

On Thu, 1 Aug 2013, Bob Miller wrote:

> G.W. Haywood wrote:
>
> > Set the owner of the socket to root, and then repeat your tests.
>
> I was able to make your suggestion work by removing the following two
> lines from clamd.conf:
>
> User clamav
> LocalSocketGroup simscan
>
> which creates the socket thusly:
>
> srw-rw---- 1 root root 0 Jul 31 10:04 clamd.socket
>
> This way clamd runs as root, daemontools can restart clamd, and simscan
> can scan the test message. It works, but I am not really liking the
> idea of running clamd as root.

That wasn't what I suggested, and I agree with Mr. Peterson. :)

My suggestion was merely that you change the owner of the socket
and repeat your tests. Nothing more, nothing less, nothing else.
You might find the results interesting.

--

73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

jesler at sourcefire

Aug 1, 2013, 10:05 AM

Post #10 of 22 (159 views)
Permalink

Re: clamd socket permissions [In reply to]

I'll remove that rule.

Let's not enforce arbitrary rules for facilitating communication. While I prefer inline/bottom posting, I'm not going to insist on it just in order for us to communicate. Personally I feel inline and bottom posting makes things clearer, but we are all adults here. Do what's best.

--
Joel Esler

> On Jul 31, 2013, at 8:44 PM, Al Varnell <alvarnell [at] mac> wrote:
>
>> On Jul 31, 2013, at 7:31 PM, Bob Miller <bob [at] computerisms> wrote:
>>
>> Hello,
>>
>>>> I realize seeing this that the list rules are not to top post, yet my
>>>> very first reply to this list that is exactly what I did.
>>>
>>> What list rules would that be?
>>>
>>>
>>> -Al-
>>
>> This is the content of the mail I received upon having my subscription
>> to this list approved, the last entry say no top-posting:
>>
>> Welcome to the clamav-users [at] lists mailing list! DO NOT SEND
>> VIRUS SAMPLES HERE!!! Send them through our web interface at
>> http://www.clamav.net/sendvirus
>>
>> Please be polite when you ask for help and always READ THE LIST
>> ARCHIVES AND THE FAQ BEFORE ASKING. You can find them at
>> http://www.clamav.net/support/ml , http://www.clamav.net/support/faq
>> and http://wiki.clamav.net
>>
>> Rules: - Do NOT top-post (see http://wiki.clamav.net/Main/TopPost) -
>> Do NOT quote everything - Do NOT send HTML mails
>
> Thanks, I looked around, but seem to have misplaced mine.
>
> The wiki has been demolished and the list is under mostly new management now, so I don't really know what applies any more.
>
> Now that iOS mail only does top posting, it's become a real PITA to first remember which lists care and then moving the sig when your done.
>
>
> Sent from Janet's iPad
>
> Al
> --
> Al Varnell
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

bob at computerisms

Aug 1, 2013, 5:35 PM

Post #11 of 22 (149 views)
Permalink

Re: clamd socket permissions [In reply to]

Hello,

> > srw-rw---- 1 root root 0 Jul 31 10:04 clamd.socket
> >
> > This way clamd runs as root, daemontools can restart clamd, and simscan
> > can scan the test message. It works, but I am not really liking the
> > idea of running clamd as root.
>
> That wasn't what I suggested, and I agree with Mr. Peterson. :)
>
> My suggestion was merely that you change the owner of the socket
> and repeat your tests. Nothing more, nothing less, nothing else.
> You might find the results interesting.

I did do them, but noted nothing interesting. It was based on the
assumption that the owner of the socket should be root, and this was the
(a) solution to fixing clamav to fit that assumption.

However, your point is well taken in that I did not do the slow,
methodical and thorough kind of trying. I also had to give my brain a
slap yesterday for skimming articles I have already read instead of
reading them again - can't learn what I think I already know....

So, documenting the experience (all tests repeated, the old and the
new):

1.
a. srw-rw---- 1 clamav simscan 0 Aug 1 13:39 clamd.socket
-clam restart: Socket file removed.
-simscan: ERROR: Can't connect to clamd: Permission denied
b. srw-rw---- 1 root simscan 0 Aug 1 13:42 clamd.socket
-clam restart: ERROR: Can't unlink the socket file /tmp/clamd.socket
-simscan: ERROR: Can't connect to clamd: Permission denied
2.
a. srw-rw---- 1 simscan clamav 0 Aug 1 13:44 clamd.socket
-clam restart: ERROR: Can't unlink the socket file /tmp/clamd.socket
-simscan: success
b. srw-rw---- 1 root clamav 0 Aug 1 13:58 clamd.socket
-clam restart: ERROR: Can't unlink the socket file /tmp/clamd.socket
-simscan: ERROR: Can't connect to clamd: Permission denied
3.
a. s---rw---- 1 clamav simscan 0 Aug 1 14:01 clamd.socket
-clam restart: Socket file removed.
-simscan: ERROR: Can't connect to clamd: Permission denied
b. s---rw---- 1 root simscan 0 Aug 1 14:26 clamd.socket
-clam restart: ERROR: Can't unlink the socket file /tmp/clamd.socket
-simscan: ERROR: Can't connect to clamd: Permission denied
4.
a. s---rw---- 1 simscan clamav 0 Aug 1 14:33 clamd.socket
-clam restart: ERROR: Can't unlink the socket file /tmp/clamd.socket
-simscan: ERROR: Can't connect to clamd: Permission denied
b. s---rw---- 1 root clamav 0 Aug 1 14:36 clamd.socket
-clam restart: ERROR: Can't unlink the socket file /tmp/clamd.socket
-simscan: ERROR: Can't connect to clamd: Permission denied
5.
a. s------rw- 1 root root 0 Aug 1 14:40 clamd.socket
-clam restart: ERROR: Can't unlink the socket file /tmp/clamd.socket
-simscan: ERROR: Can't connect to clamd: Permission denied
b. -
-clam restart: -
-simscan: -
6.
a. s------rw- 1 clamav simscan 0 Aug 1 14:43 clamd.socket
-clam restart: Socket file removed.
-simscan: success
b. s------rw- 1 root simscan 0 Aug 1 14:44 clamd.socket
-clam restart: ERROR: Can't unlink the socket file /tmp/clamd.socket
-simscan: success
7.
a. s------rw- 1 simscan clamav 0 Aug 1 14:49 clamd.socket
-clam restart: ERROR: Can't unlink the socket file /tmp/clamd.socket
-simscan: ERROR: Can't connect to clamd: Permission denied
b. s------rw- 1 root clamav 0 Aug 1 14:52 clamd.socket
-clam restart: ERROR: Can't unlink the socket file /tmp/clamd.socket
-simscan: ERROR: Can't connect to clamd: Connection refused

I have stared and stared at this. If there is a lesson to be seen here,
I am sad that it seems beyond my powers of observation. If there is a
way to reverse engineer the above observations into a rule set that also
obeys linux file permissions, I don't see how to do it.

All of my original questions stand; things are not behaving by the rules
I expect them to. How can world rw not work unless the user/group is
correct, is this some sort of umask thing? How can clamav user access
the socket without rw permission, and how can it connect as user but not
group? How can simscan connect as user but not group?

Were you expecting something different? Or more likely, am I missing
something obvious here? wouldn't be the first time I have puzzled for
days/weeks over something stupid and obvious....

Thank you again for your time...

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

clamav at jubileegroup

Aug 2, 2013, 4:45 AM

Post #12 of 22 (133 views)
Permalink

Re: clamd socket permissions [In reply to]

Hi there,

On Fri, 2 Aug 2013, Bob Miller wrote:

> Were you expecting something different?

Not necessarily, but it tells me something. :)

> Or more likely, am I missing something obvious here?

You might be. Please look at the permissions of the parent directory.
You might then want to make changes to those permissions and once more
repeat your tests. Note: In a *n[iu]x system you can delete a file in
a directory to which you can write, even if you can't write (nor even
read) the said file. That's because a directory is effectively just a
file, and putting a new file in a directory or removing a file from it
is just making a modification to the content of the file that you know
as the directory. Of course the OS makes its own modifications to the
directory too (things like access times and file sizes) and the OS can
do what it likes, but the directory's permissions are about what users
(or more correctly processes with given user's permissions) can do to
them. When the parent directory permits both your users to write to
it I think you will see results from your tests that you don't expect.

> Thank you again for your time...

I appreciate it, but we're all learning from this. :)

--

73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

lkchen at ksu

Aug 2, 2013, 5:38 AM

Post #13 of 22 (133 views)
Permalink

Re: clamd socket permissions [In reply to]

----- Original Message -----
> Hi there,
>
> On Fri, 2 Aug 2013, Bob Miller wrote:
>
> > Were you expecting something different?
>
> Not necessarily, but it tells me something. :)
>
> > Or more likely, am I missing something obvious here?
>
> You might be. Please look at the permissions of the parent
> directory.
> You might then want to make changes to those permissions and once
> more
> repeat your tests. Note: In a *n[iu]x system you can delete a file
> in
> a directory to which you can write, even if you can't write (nor even
> read) the said file. That's because a directory is effectively just
> a
> file, and putting a new file in a directory or removing a file from
> it
> is just making a modification to the content of the file that you
> know
> as the directory. Of course the OS makes its own modifications to
> the
> directory too (things like access times and file sizes) and the OS
> can
> do what it likes, but the directory's permissions are about what
> users
> (or more correctly processes with given user's permissions) can do to
> them. When the parent directory permits both your users to write to
> it I think you will see results from your tests that you don't
> expect.
>
> > Thank you again for your time...
>
> I appreciate it, but we're all learning from this. :)
>

Well, since its /tmp, hopefully its something reasonable like 0777 or 1777, the latter is more common which means files in /tmp can only be removed by its owner (or root).

I don't know anything about simscan, since we run sendmail....

But, since most of the testing, has clamd restarting and it announcing that its removing the socket file....

> a. srw-rw---- 1 clamav simscan 0 Aug 1 13:39 clamd.socket
> -clam restart: Socket file removed.
> -simscan: ERROR: Can't connect to clamd: Permission denied
> b. srw-rw---- 1 root simscan 0 Aug 1 13:42 clamd.socket
> -clam restart: ERROR: Can't unlink the socket file /tmp/clamd.socket
> -simscan: ERROR: Can't connect to clamd: Permission denied

...would suggest that

FixStaleSocket (which defaults to yes)

is seeing the socket as stale when clamd starts again.

So, what does the socket look like after clam restarts?

Hmm,

> Permissions and ClamAntiVirus
>
> To get ClamAV to play nicely with simscan's permissions you have two
> options:
>
> * run clamd as root
> * Add clamav to simscan's group.
>
> Then clamav will have access to the working directory and it's files.
>
> 1. The /var/qmail/simscan directory defaults to ownership to
> simscan.root. So change the group to 'simscan'.
>
> 2. Set the sticky bit on the directory so when simscan creates it's
> temporary directories and files they are group owned simscan as well.
>
> 3. Add the clamav user to the simscan group.
>
> On Linux like systems:
>
> 1. chgrp simscan /var/qmail/simscan
>
> 2. chmod g+s /var/qmail/simscan
>
> 3. usermod -G simscan clamav
>
> Also make sure AllowSupplementaryGroups is set in your clamd.conf file
> so that the clamd daemon knows about the simscan group.

from: http://www.qmailwiki.org/Simscan/README

taking a look at one of our clamav VMs, I see

srw-rw-rw- 1 clamav clamav 0 Jul 27 03:10 /var/tmp/clamd.socket=

Guess that's because neither LocalSocketGroup nor LocalSocketMode are set in our config.

Of course, the only thing that should be connecting to the socket is clamav-milter ... we then have 4 of these VMs in a pool behind our F5 where in theory anybody on campus could use it, but nothing official (what most do is list our MX's at lower priority than their MX, but their MX is firewalled so that inbound mail has to come through our MX first...)

Lawrence
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

bburke at eecs

Aug 2, 2013, 11:12 AM

Post #14 of 22 (127 views)
Permalink

Re: clamd socket permissions [In reply to]

> How can world rw not work unless the user/group is
> correct, is this some sort of umask thing?

I think I can answer this one, at least. Thinking of the last permissions' set as 'world'
is misleading. This last set is more properly the 'other' class. And in fact, the first
two sets (owner and group) comprise entirely separate classes, not one (the owner) encased
in the other (the group).

E.g. 007 permissions (------rwx) does *not* give 'everyone' read/write/execute
permissions; it only gives people who are (1) not the owner/in the owner class, and (2)
not in the owning group/in the group class.

Here's a few words from wikipedia about this:
http://en.wikipedia.org/wiki/Filesystem_permissions#Classes

--
Bryan Burke
IT Administrator
Department of Electrical Engineering and Computer Science
University of Tennessee, Knoxville
bburke [at] eecs
(865) 974-4694
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

dennispe at inetnw

Aug 2, 2013, 11:23 AM

Post #15 of 22 (126 views)
Permalink

Re: clamd socket permissions [In reply to]

On 7/30/13 11:18:36AM, Bob Miller wrote:
> Hello,
>
> I am trying to trace the reasoning behind behaviour I don't understand
> with regard to permissions on the clamd.socket and simscan.
>
>
What is the state of selinux on your system? This is found in some
distributions by running getenforce at the command line.

dp
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

bob at computerisms

Aug 2, 2013, 1:00 PM

Post #16 of 22 (127 views)
Permalink

Re: clamd socket permissions [In reply to]

Hello,

> > You might be. Please look at the permissions of the parent
> > directory.
> > You might then want to make changes to those permissions and once
> > more
> > repeat your tests. Note: In a *n[iu]x system you can delete a file
> > in
> > a directory to which you can write, even if you can't write (nor even
> > read) the said file....but the directory's permissions are about what
> > users
> > (or more correctly processes with given user's permissions) can do to
> > them. When the parent directory permits both your users to write to
> > it I think you will see results from your tests that you don't
> > expect.
> >
> > > Thank you again for your time...
> >
> > I appreciate it, but we're all learning from this. :)

I can't help it, this statement just makes me happy :)

> >
>
> Well, since its /tmp, hopefully its something reasonable like 0777 or 1777, the latter is more common which means files in /tmp can only be removed by its owner (or root).

Regarding parent permissions and write access, I am aware of this
limitation. I use this to my advantage in file servers and web servers
to ensure users cannot delete or otherwise change the top level of
certain directories. and as surmised, I am running a /tmp directory
with perms 1777.

I considered the possibility that the sticky bit was preventing clamav
from deleting the socket. For example, if the socket gets created by
root, then clamav would not be able to delete it. Since clamav can
delete if permissions are correct, I do not think the sticky bit is
playing a part here.

Nonetheless I did create a directory /clamd and chmod'd it to 777 and
set the clamd.conf to make the socket in there. I then repeated the
first four tests and observed no changes - group permissions still seem
to be ignored.

> ...would suggest that
>
> FixStaleSocket (which defaults to yes)
>
> is seeing the socket as stale when clamd starts again.
>
> So, what does the socket look like after clam restarts?

In the case where the socket is removed, it gets properly recreated as
per the LocalSocket* settings in clamd.conf (srw-rw---- 1 clamav
simscan)

In the case where the socket is not removed, it simply remains with
whatever permissions it had until it is removed manually or by changing
permissions so clamav can remove it itself.

To be clear, in all of the tests I ran, when clamd did not restart
gracefully, I rm'd the socket as root from the cli so as to let clamd
start again and let clamd recreate the socket. I then changed
permissions on the socket manually to run my tests.

Digging into the FixStaleSocket setting (explicitly set to yes in my
clamd.conf), I am a bit surprised it isn't having an effect here. As I
understand it, clamd starts as root, then drops into the clamav user. I
guess it doesn't try to clear the stale socket until after it drops root
privileges.

>
> Hmm,
>
> > Permissions and ClamAntiVirus
> >
> > To get ClamAV to play nicely with simscan's permissions you have two
> > options:
> >
<snip>
> >
> > Also make sure AllowSupplementaryGroups is set in your clamd.conf file
> > so that the clamd daemon knows about the simscan group.
>
> from: http://www.qmailwiki.org/Simscan/README

I have read this site multiple times. it has lots of useful stuff on
it.

Simscan is a queue. After qmail has accepted the mail, it hands it to
simscan, which in turn stores the message in files in its own working
directory. Simscan then calls clamav to scan the files in that
directory, and then feeds them into spamassassin. Clamav is allowed
read access to Simscan's working directory via group permissions (r-x).
It then hands the message back to qmail with a pass/fail flag and
deletes the message from its working dir.

This particular snippet you quote is to do with clamav's ability to
access the files in simscan's working directory. Without those group
permissions, clamav will be denied access to simscan's working
directory. I have considered that section of that wiki very carefully,
and I do not find a way to apply that information to the clamd socket.

This seems to be the vast majority of problems when it comes to making
simscan and clamav work together. Almost every article I found when
searching something similar to "clamav simscan permissions" was a
discussion of allowing clamav into simscan's directory to scan files.
Articles on the topic of socket permissions are much less common.

The more appropriate question, at least to my mind, is what is the
effective uid/gid of the process accessing the socket. The closest
thing I have been able to find in documentation to answer that question
is "simscan calls clamav". because the suid bit is not set on the
clamscan binary, I think that the process remains owned by simscan
throughout. That is supported by the fact that simscan works when set
as user and granted rw on the socket. I think that the opposite of the
snippet from the wiki - adding simscan to the clamav group - should
effectively nullify any conflict of permissions on the socket, hence my
reasoning for having both users in each group.

>
> taking a look at one of our clamav VMs, I see
>
> srw-rw-rw- 1 clamav clamav 0 Jul 27 03:10 /var/tmp/clamd.socket=
>
> Guess that's because neither LocalSocketGroup nor LocalSocketMode are set in our config.

As I understand things, that would be correct. This also implies to me
that you do have the User set to clamav in your clamd.conf.

I have also found in example after example, as is this case here, that
people do not unset the world rw on the socket. In doing my searching,
I found this thread:

https://bugzilla.redhat.com/show_bug.cgi?id=787434

and from that, when I set my clamd.sock to 666 (owned by
clamav/simscan), the following command allows the nobody user to send a
shutdown command to clamd.

su nobody -s /bin/sh -c 'id; echo nSHUTDOWN | socat - \
UNIX-CONNECT:/tmp/clamd.socket'

In my particular case this doesn't matter so much because daemontools
will just start it up again, but I trust I don't have to explain why
that isn't the point...

Reading that thread also got me to considering that another solution to
this problem is to not put the socket in the /tmp directory, but make a
custom directory and limit access to the socket via the permissions on
that directory. This isn't such a bad idea in that I could use it to
achieve my goal, but it seems like admitting defeat. Besides, why have
the LocalSocket* settings in clamd.conf if you can't use them?

>
> Of course, the only thing that should be connecting to the socket is clamav-milter ... we then have 4 of these VMs in a pool behind our F5 where in theory anybody on campus could use it, but nothing official (what most do is list our MX's at lower priority than their MX, but their MX is firewalled so that inbound mail has to come through our MX first...)

Thank you very much for your input...

>
> Lawrence
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

bob at computerisms

Aug 2, 2013, 1:21 PM

Post #17 of 22 (126 views)
Permalink

Re: clamd socket permissions [In reply to]

Hi Bryan,

Thank you very much for contributing your thoughts to this thread.

> E.g. 007 permissions (------rwx) does *not* give 'everyone' read/write/execute
> permissions; it only gives people who are (1) not the owner/in the owner class, and (2)
> not in the owning group/in the group class.

As I read it, this shows even better how the file permissions rules are
not being followed.

From the wikipedia article:

The effective permissions are determined based on the user's class. For
example, the user who is the owner of the file will have the permissions
given to the owner class regardless of the permissions assigned to the
group class or others class.

so my test #6:

s------rw- 1 clamav simscan 0 Jul 29 10:04 clamd.socket

since clamav is in the owner class, it's effective permissions should be
---, which should deny access to the clamav user regardless of any other
permission for group or other. Yet it still has access to the socket.

Conversely, my test #5:

s------rw- 1 root root 0 Aug 1 14:40 clamd.socket

since clamav is not a member of the owner class, and is not a member of
the group class, it should then be a member of the other class, and as
the other class, it should be granted rw. Yet clamav cannot access the
socket.

Perhaps I am not seeing the point you are illustrating?

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

bob at computerisms

Aug 2, 2013, 1:26 PM

Post #18 of 22 (126 views)
Permalink

Re: clamd socket permissions [In reply to]

Hi Dennis,

> What is the state of selinux on your system? This is found in some
> distributions by running getenforce at the command line.

This is a stock debian jesse build. As I understand it, selinux is not
enabled by default, and I can find no evidence there are any policies in
effect.

>
> dp
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

clamav at jubileegroup

Aug 4, 2013, 1:57 AM

Post #19 of 22 (113 views)
Permalink

Re: clamd socket permissions [In reply to]

Hi there,

On Sat, 3 Aug 2013, Bob Miller wrote:

> Reading that thread also got me to considering that another solution
> to this problem is to not put the socket in the /tmp directory, but
> make a custom directory and limit access to the socket via the
> permissions on that directory. This isn't such a bad idea in that I
> could use it to achieve my goal, but it seems like admitting defeat.

Heh... if it works, do it and I'm out. :)

> Besides, why have the LocalSocket* settings in clamd.conf if you
> can't use them?

If your mail's working, at least you have more time for research. :)

> This is a stock debian jesse build.

Ouch. Quoting from http://www.debian.org/releases/testing/

[QUOTE]
... the next major Debian release after wheezy is "jessie".

This release started as a copy of wheezy, and is currently in a state
called "testing". That means that things SHOULD NOT BREAK AS BADLY as
in unstable or experimental distributions ...
[/QUOTE]

My emphasis on "should not break as badly". Having had more than
enough trouble with 'stable', I wouldn't recommend that you use the
'testing' version of Debian for serious mail processing.

Incidentally this list of open issues makes me uneasy:

http://sourceforge.net/p/simscan/bugs/

--

73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

bburke at eecs

Aug 4, 2013, 12:13 PM

Post #20 of 22 (110 views)
Permalink

Re: clamd socket permissions [In reply to]

> so my test #6:
>
> s------rw- 1 clamav simscan 0 Jul 29 10:04 clamd.socket
>
> since clamav is in the owner class, it's effective permissions should be
> ---, which should deny access to the clamav user regardless of any other
> permission for group or other. Yet it still has access to the socket.

Well, there is a slight complication here, because, while most non-interactive tools will
test the permissions of the file before allowing you to read/write to it, as the owner,
you can always force things to read/write it (i.e. read(2)/write(2) type calls will still
succeed). I haven't looked at clamd's source, but it may not check the access(2)
permissions before doing things with the socket.

> Conversely, my test #5:
>
> s------rw- 1 root root 0 Aug 1 14:40 clamd.socket
>
> since clamav is not a member of the owner class, and is not a member of
> the group class, it should then be a member of the other class, and as
> the other class, it should be granted rw. Yet clamav cannot access the
> socket.
>
> Perhaps I am not seeing the point you are illustrating?

That is very strange behavior indeed. If I were you, I might hack up a few test C programs
that use the access(2) call, and read(2)/write(2) or send(2)/recv(2) calls, and run it as
different users to verify you're getting the permission problems you are.

If what you get is different, then perhaps clamd is using some other internal logic, which
is not immediately apparent, to check whether or not it can access the socket.

Might be more trouble than it's worth, i.e. to solve the problem, but again, it's
interesting and might be fun for it's own sake.

--
Bryan Burke
IT Administrator
Department of Electrical Engineering and Computer Science
University of Tennessee, Knoxville
bburke [at] eecs
(865) 974-4694
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

bburke at eecs

Aug 5, 2013, 11:00 AM

Post #21 of 22 (88 views)
Permalink

Re: clamd socket permissions [In reply to]

> That is very strange behavior indeed. If I were you, I might hack up a few test C programs
> that use the access(2) call, and read(2)/write(2) or send(2)/recv(2) calls, and run it as
> different users to verify you're getting the permission problems you are.

... Or strace the clamd process. Yea, that's probably easier... :)

--
Bryan Burke
IT Administrator
Department of Electrical Engineering and Computer Science
University of Tennessee, Knoxville
bburke [at] eecs
(865) 974-4694
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

bob at computerisms

Aug 8, 2013, 9:30 AM

Post #22 of 22 (66 views)
Permalink

Re: clamd socket permissions [In reply to]

Hello Everybody,

Sorry for the tardiness of my response, those pesky customers have been
keeping me pretty occupied this week...

> > Reading that thread also got me to considering that another solution
> > to this problem is to not put the socket in the /tmp directory, but
> > make a custom directory and limit access to the socket via the
> > permissions on that directory. This isn't such a bad idea in that I
> > could use it to achieve my goal, but it seems like admitting defeat.
>
> Heh... if it works, do it and I'm out. :)

Given that my world just got a lot busier and will remain that way for
the next couple of weeks, I figure this is the best solution I am going
to achieve in the short term. Perhaps I will devote more resources to
solving this when time again permits....

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads