On 31/01/2020 16:54, Vladislav Kurz via clamav-users wrote:
On 31/01/2020 15:06, Michael Orlitzky via clamav-users wrote:
On 1/31/20 2:47 AM, Steve Basford wrote:
Hi All,
eXtremeSHOK.com's clamav-unofficial-sigs download script has been
updated:
https://github.com/extremeshok/clamav-unofficial-sigs
Change Log
Version 7.0.1 (Updated 25 January 2020)
Beware, as of a few versions ago this script is filled with a million
unsafe uses of chown and chmod, running as root. The script should never
be using chown/chmod in the first place, so all of these are wrong,
$ grep 'chown\|chmod' clamav-unofficial-sigs.sh | wc -l
40
and many of them are exploitable if the clamav user swaps out one of the
targets for a symlink pointing to e.g. /etc/passwd. And since the script
runs on a predictable schedule, you have all the time in the world to do
that.
True. This script should never be run as root, but as clamav user. Thus
chown would not be needed at all. Just as freshclam is run as clamav
user too.
The way it's set up is that it needs to be ran as root once to have it
set itself up. From cron it runs as clamav user.
Good luck,
Reio
_______________________________________________
clamav-users mailing list
[email protected]
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
