Running clamd as root is probably a bad idea but I can imagine a lot of
debate I'm not interested in rising from that statement. It is not
something I would do. When I hit this problem of allowing clamd and my
milters to share that and other sockets I put them all in the same
UID/GID (not root). I've not been able to find a downside, and
everything works happily together. That doesn't mean one doesn't exist,
but after close to 10 years of running this way on dozens of systems no
problems have been revealed.
Top posting from Seattle...
dp
On 7/31/13 10:27:26AM, Bob Miller wrote:
Thank you very much for taking the time to respond. It is truly
appreciated...
I was able to make your suggestion work by removing the following two
lines from clamd.conf:
User clamav
LocalSocketGroup simscan
which creates the socket thusly:
srw-rw---- 1 root root 0 Jul 31 10:04 clamd.socket
This way clamd runs as root, daemontools can restart clamd, and simscan
can scan the test message. It works, but I am not really liking the
idea of running clamd as root. Seems to me that that has as many risk
variables as giving world perms to a non-root process (which didn't
really work as expected anyway).
So is this to say that it is not possible to run clamav under a non-root
user if you want to grant group access to the socket? I can
see/understand why using root works (and thank you again for showing it
to me), but I still fail to understand the cause behind my previous
observations that group permissions do not seem to work on the socket?
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
