Hi Dennis, Many thanks for the time you took to reply. Though I have had any epiphanies yet, talking the situation over definitely helps...
> Running clamd as root is probably a bad idea but I can imagine a lot of > debate I'm not interested in rising from that statement. If I understand this statement correctly there is a camp of clamav users who think it is best to run it as root? That is somewhat unexpected. I never seriously considered it before it was suggested prior in this thread, but I am putting some thought to it now... > It is not > something I would do. When I hit this problem of allowing clamd and my > milters to share that and other sockets I put them all in the same > UID/GID (not root). so as an example you run your clamd and your milter processes all under the clamav user? To apply that to my situation, I would then run simscan and clamd using the same uid. that is a novel idea, I will have to think on what that involves... When you set your system up like this, does your clamd socket have world rw on it? Do you have any processes that access the socket via their group permissions, or only via their user permissions? > Top posting from Seattle... I realize seeing this that the list rules are not to top post, yet my very first reply to this list that is exactly what I did. I make apologies; it is a damned hard habit to break... > > dp > > On 7/31/13 10:27:26AM, Bob Miller wrote: > > Thank you very much for taking the time to respond. It is truly > > appreciated... > > > > I was able to make your suggestion work by removing the following two > > lines from clamd.conf: > > > > User clamav > > LocalSocketGroup simscan > > > > which creates the socket thusly: > > > > srw-rw---- 1 root root 0 Jul 31 10:04 clamd.socket > > > > This way clamd runs as root, daemontools can restart clamd, and simscan > > can scan the test message. It works, but I am not really liking the > > idea of running clamd as root. Seems to me that that has as many risk > > variables as giving world perms to a non-root process (which didn't > > really work as expected anyway). > > > > So is this to say that it is not possible to run clamav under a non-root > > user if you want to grant group access to the socket? I can > > see/understand why using root works (and thank you again for showing it > > to me), but I still fail to understand the cause behind my previous > > observations that group permissions do not seem to work on the socket? > > > > > > > > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
