The idea is noble, allowing clamd to drop privileges and thus being less vulnerable to manipulations. Running Clamonacc as root and feeding clamd with only the fd of a file. Alas, this still requires clamd to have read permission to read a file outside it's own user and group settings.

Of course, one can make all files and directories world readable, but that is exactly want you want to avoid on a public server. I want file access to be controlled and only root can access them all. So, to be able to let clamd do it's work, I had to reverse the privilege setting to keep clamd running as root.

Actually, this was expected from the start that this feature would not work without streaming support by clamonacc.

--- Frans


clamav-users mailing list

Help us build a comprehensive ClamAV guide:

Reply via email to