Dennis Peterson wrote the following on 9/22/2007 3:10 PM -0800: > What do you get when you run ls -ld /tmp > drwxrwxrwt 10 root root 12288 2007-09-22 15:13 /tmp > The user id of the person who builds clamav does not affect the run-as > user definition. It will be clamav:clamav unless you change it. What > ever user you use, be it the default or what ever you choose, that user > must exist. The important thing is that user is not used unless clam is > run as root or as that user. > Hmmm, my build of clamav uses default uid/gid. I ran this as root:
clamscan --debug --leave-temps -d /var/tmp/rsync/MSRBL-Images.hdb and get this: ls -l /tmp -rw------- 1 root root 1329 2007-09-22 15:39 clamav-0acd37645f78642d4040bfa4570590ed drwx------ 3 root root 4096 2007-09-22 15:39 clamav-14faec7835372a15636e03551d4f6f46 drwx------ 3 root root 4096 2007-09-22 15:39 clamav-17d9c1c7fe868827b01a900289e014fe drwx------ 2 root root 4096 2007-09-22 15:39 clamav-1a2fe3064c3e71d89905acb165612d1d -rw------- 1 root root 10240 2007-09-22 15:39 clamav-1cd0179ea5ca1343e05d2d81496de484 -rw------- 1 root root 6236 2007-09-22 15:39 clamav-23a285245f6c4b8c19a196bba8b0b979 -rw------- 1 root root 6271 2007-09-22 15:39 clamav-2563cd6d30df44c9dfe01b818c1fb808 drwx------ 2 root root 4096 2007-09-22 15:39 clamav-3278cd6be3e4a99fe20a081c7c0544d4 -rw------- 1 root root 7489 2007-09-22 15:39 clamav-3381e93d6b55b01807cb65b3a53bf5db -rw------- 1 root root 10477568 2007-09-22 15:39 clamav-381f17b07def4663ab9e335c98561c8e drwx------ 2 root root 4096 2007-09-22 15:39 clamav-39f326ff1341ab0b94b1a84907dfc09a -rw------- 1 root root 7143 2007-09-22 15:39 clamav-426316cea3272e8008a6d92f537ee14f drwx------ 3 root root 4096 2007-09-22 15:39 clamav-4a5cd0c1e6eed5a763d4464392dce9ef -rw------- 1 root root 29568 2007-09-22 15:39 clamav-5779dd828a7a170cfdfdb6ac2fdf3652 drwx------ 2 root root 4096 2007-09-22 15:39 clamav-73597be087991b435c2b7ce3c665d0aa drwx------ 3 root root 4096 2007-09-22 15:39 clamav-74739a4c3fa56a76925a15d6ef10988e drwx------ 3 root root 4096 2007-09-22 15:39 clamav-7738d584276e460eef31482874f8bd73 drwx------ 2 root root 4096 2007-09-22 15:39 clamav-964dfe63220de9d1c6569dcc9ab6fa4d drwx------ 2 root root 4096 2007-09-22 15:39 clamav-9a61b7ed7705d04b5a65e517b0b1b59a drwx------ 3 root root 4096 2007-09-22 15:39 clamav-9ee612235e87da5fc572bd5141b299f8 drwx------ 2 root root 4096 2007-09-22 15:39 clamav-a7a2b3a66f1091f5d6b798de06155dc3 -rw------- 1 root root 8309 2007-09-22 15:39 clamav-ac3aa3a7f7e8d1ac96ce6c73a6876866 drwx------ 2 root root 4096 2007-09-22 15:39 clamav-b679a0455f52e59918c7c3543c4d4565 -rwx------ 1 root root 29719 2007-09-22 15:39 clamav-b8503c0aaa097a3ba419772fd7a4f926 drwx------ 2 root root 4096 2007-09-22 15:39 clamav-b8e730d2ddb6cd78b5c3d625fc1aafea -rw------- 1 root root 1130 2007-09-22 15:39 clamav-bd26c664bda3cd458e9b7fb0ea66f6b4 drwx------ 2 root root 4096 2007-09-22 15:39 clamav-c6a6d756a1e3f67514ac8035a00a2fa2 drwx------ 2 root root 4096 2007-09-22 15:39 clamav-c72d2a65ff68ecd2e0fedcfdb3b8aeae drwx------ 3 root root 4096 2007-09-22 15:39 clamav-c76e7f12a01f3035c05099742b459615 drwx------ 2 root root 4096 2007-09-22 15:39 clamav-cea1c19b339b2e9ef27f02a7d3747475 -rw------- 1 root root 2068 2007-09-22 15:39 clamav-d96f23fe4ff21d65a27d92a3be782765 drwx------ 2 root root 4096 2007-09-22 15:39 clamav-d9a6c74d295a250c70efbd714ecce82a drwx------ 2 root root 4096 2007-09-22 15:39 clamav-e3714a7d8696fcfd1dffea87f0b8ed77 -rw------- 1 root root 3489 2007-09-22 15:39 clamav-f3c7f36ab438e68978287b7351bc3588 -rw------- 1 root root 1761 2007-09-22 15:39 clamav-fc6b701da74dc081a0c353c7d613c69c drwx------ 2 root root 4096 2007-09-22 15:39 clamav-feb941e79a62e60040cdd82c70bae723 When I run this as su amavis (the user and group that I've set clamd to run under in clamd.conf): clamscan --debug --leave-temps -d /var/tmp/rsync/MSRBL-Images.hdb drwx------ 2 amavis amavis 4096 2007-09-22 15:37 clamav-06c7d39053913b632e486cb1422a046d drwx------ 2 amavis amavis 4096 2007-09-22 15:37 clamav-11350ed811c6cee52612d5ef0ab98ab9 drwx------ 2 amavis amavis 4096 2007-09-22 15:37 clamav-12a274aa82c634e7476a04f6b4b1e993 drwx------ 2 amavis amavis 4096 2007-09-22 15:37 clamav-19cba0f84f8babef94eb8f3c7bda357f drwx------ 3 amavis amavis 4096 2007-09-22 15:37 clamav-2bd183c574ee8df743a4c09d93fbd8b4 drwx------ 2 amavis amavis 4096 2007-09-22 15:37 clamav-2c15fdeac894db2b01dcfe6755439baa -rw------- 1 amavis amavis 20992 2007-09-22 15:37 clamav-34badb69597ae4ba9f3059a7d089c4b0 drwx------ 2 amavis amavis 4096 2007-09-22 15:37 clamav-3cfb90baa2168cbfd4d39550d3a325bd drwx------ 2 amavis amavis 4096 2007-09-22 15:37 clamav-4230ffa666a58c01759f844604a61e45 drwx------ 2 amavis amavis 4096 2007-09-22 15:37 clamav-5586e1642623d9ebab2f0257c30d9e6f drwx------ 2 amavis amavis 4096 2007-09-22 15:37 clamav-778a95c0bb48d90f2e4538a62c47ec7a drwx------ 2 amavis amavis 4096 2007-09-22 15:37 clamav-789012b47a0cefc0b7b129a324b96544 drwx------ 2 amavis amavis 4096 2007-09-22 15:37 clamav-ac146226781c33cc380ac332209419a0 drwx------ 2 amavis amavis 4096 2007-09-22 15:37 clamav-ad7d4bce88d94b20786cfffc40321d08 drwx------ 3 amavis amavis 4096 2007-09-22 15:37 clamav-bfc773753c7fc55a0e1a06b897a0903e drwx------ 2 amavis amavis 4096 2007-09-22 15:37 clamav-c85a5b0b1d0c5c4be8ce23bca5eb55f2 drwx------ 3 amavis amavis 4096 2007-09-22 15:37 clamav-cfaad1943a288f9237b66dfd2dd163b4 drwx------ 2 amavis amavis 4096 2007-09-22 15:37 clamav-d8c6507170c6294f4ce91b4258b9efcd drwx------ 2 amavis amavis 4096 2007-09-22 15:37 clamav-f2483ad3eabb688cfe593bae7afea9f7 However, if I run this under su clamav, I get nothing in /tmp, but the scan runs ok. Strange, since if I remove the clamav user and gourp and run as root, I also get nothing in /tmp, but clamscan reports: clamscan --leave-temps -d /var/tmp/rsync/MSRBL-Images.hdb ----------- SCAN SUMMARY ----------- Known viruses: 1510 Engine version: 0.91.2 Scanned directories: 1 Scanned files: 0 Infected files: 0 Data scanned: 0.00 MB Time: 0.007 sec (0 m 0 s) [EMAIL PROTECTED] clamav]# ls /tmp/ fail2ban.sock gconfd-root mapping-bill mapping-root orbit-gdm which again looks like it was a successful scan. However, if I now run as root with /dev/null (remember I removed the clamav uid/gid), I get: clamscan -v -d /var/tmp/rsync/MSRBL-Images.hdb - < /dev/null ERROR: Can't write to temporary directory ----------- SCAN SUMMARY ----------- Known viruses: 1510 Engine version: 0.91.2 Scanned directories: 0 Scanned files: 0 Infected files: 0 Data scanned: 0.00 MB Time: 0.007 sec (0 m 0 s) So it appears that access to /dev/null is the problem if clavav is configured with something other than uid/gid clamav. I really do not understand all of the anomalies shown here, but through all of this, I did find a way to scan a single file without using /dev/null, which normally causes clamscan to scan every file in the directory you happen to be in when executing the test, such as when executed from my home directory (/var/tmp/rsync only has 2 files in it): clamscan -v -d /var/tmp/rsync/MSRBL-SPAM.ndb ----------- SCAN SUMMARY ----------- Known viruses: 1510 Engine version: 0.91.2 Scanned directories: 1 Scanned files: 123 Infected files: 0 Data scanned: 39.26 MB Time: 0.802 sec (0 m 0 s) However, setting the full path to the signature file followed by the full path to a test file also archives what I want, a test of the signature file without scanning every file in the source directory, as well: clamscan -v -d /var/tmp/rsync/MSRBL-SPAM.ndb /var/tmp/clamav/scan-test.txt Scanning /var/tmp/rsync/MSRBL-SPAM.ndb /var/tmp/rsync/MSRBL-SPAM.ndb: OK ----------- SCAN SUMMARY ----------- Known viruses: 1510 Engine version: 0.91.2 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Time: 0.008 sec (0 m 0 s) And this works even with the clamav and amavis users and groups removed. I'll be updating and testing my script and will release an updated version soon. Thanks everyone for the feedback, I think all of this shows that the issue appears to be with access to /dev/null, for some strange reason. Bill > There used to be a problem with clam when started by root. Files were > created and owned by root and when the clam process su'd to the run-as > user it could no longer work with those startup files. That problem was > corrected. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
