> so my test #6: > > s------rw- 1 clamav simscan 0 Jul 29 10:04 clamd.socket > > since clamav is in the owner class, it's effective permissions should be > ---, which should deny access to the clamav user regardless of any other > permission for group or other. Yet it still has access to the socket.
Well, there is a slight complication here, because, while most non-interactive tools will test the permissions of the file before allowing you to read/write to it, as the owner, you can always force things to read/write it (i.e. read(2)/write(2) type calls will still succeed). I haven't looked at clamd's source, but it may not check the access(2) permissions before doing things with the socket. > Conversely, my test #5: > > s------rw- 1 root root 0 Aug 1 14:40 clamd.socket > > since clamav is not a member of the owner class, and is not a member of > the group class, it should then be a member of the other class, and as > the other class, it should be granted rw. Yet clamav cannot access the > socket. > > Perhaps I am not seeing the point you are illustrating? That is very strange behavior indeed. If I were you, I might hack up a few test C programs that use the access(2) call, and read(2)/write(2) or send(2)/recv(2) calls, and run it as different users to verify you're getting the permission problems you are. If what you get is different, then perhaps clamd is using some other internal logic, which is not immediately apparent, to check whether or not it can access the socket. Might be more trouble than it's worth, i.e. to solve the problem, but again, it's interesting and might be fun for it's own sake. -- Bryan Burke IT Administrator Department of Electrical Engineering and Computer Science University of Tennessee, Knoxville [email protected] (865) 974-4694 _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
