On Friday 25 June 2004 10:36 pm, Stephen Gran wrote:
> On Fri, Jun 25, 2004 at 05:53:13PM -0500, Jeremy Kitchen said:
> > On Friday 25 June 2004 04:27 pm, Stephen Gran wrote:
> > > Take a look at /usr/share/doc/clamav-base/README.Debian. The suggested
> > > fix for this sort of thing is to leave clamav running as clamav, but to
> > > add it to the group qscand, and make sure AllowSupplementaryGroups is
> > > set in clamav.conf.
> >
> > I tried and tried and tried and wasn't actually able to get it to work
> > like that. I simply run my clamd as the qscand user (I do this on
> > production systems as well) and it works dandy.
>
> OK, I stand corrected. I am not a qmail admin, so you are in a better
> position to know than I am. I will keep that in mind for others who
> have problems with it.
well, YMMV, but I wasn't able to get it to work :)
I agree that privilege separation is extremely important, but that's why
qmail-scanner requires (well, you can force it, but y'know) that you use
another user and group, qscand:qscand, for its scanning, because,
theoretically, it should have ZERO access to ANY part of the filesystem other
than its own root. If you lose some quarantined messages, oh well. If it
stomps on other messages in the working directory, qmail-scanner will detect
that (it'll get errors from other applications and such) and will exit with a
deferral code and qmail-smtpd will defer the message, and theoretically, the
remote client will attempt it again later.
Plus, I think qmail-scanner makes everything umask 077 (although I'm sure
that's configurable, or at the very least, hackable) so clamd wouldn't have
read access anyways.
-Jeremy
--
Jeremy Kitchen ++ Systems Administrator ++ Inter7 Internet Technologies, Inc.
[EMAIL PROTECTED] ++ www.inter7.com ++ 866.528.3530 ++ 847.492.0470 int'l
kitchen @ #qmail #gentoo on EFnet ++ scriptkitchen.com/qmail
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
