Hi!
No worries about sounding complainy. I'm glad you're reaching out for help.
I recommend always running clamonacc using the --fdpass command line argument,
provided it is available on your system Some older systems (RHEL 7, etc) may
not be able to use it. With fd-passing enabled, ClamOnAcc will pass its open
file descriptor to ClamD so it can scan files that it wouldn't otherwise have
read access to. I think this should resolve the concern about scanning files
like /home/user/eicar-test.txt.
I'm unsure why you're getting:
133863 ERROR: ClamInotif: could not watch path '/var/www', No such file or
directory
Perhaps it is a mount point or something? Anyone else have any insights?
Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: clamav-users <[email protected]> on behalf of dee
heffemm via clamav-users <[email protected]>
Sent: Thursday, September 9, 2021 7:53 AM
To: [email protected] <[email protected]>
Cc: dee heffemm <[email protected]>
Subject: [clamav-users] Why does clamonacc says /var/www does not exist (among
other things)?
I'm trying to configure (ClamAV 0.103.2/26289 on Ubuntu 18.04) `clamonacc`
using the instructions here[1]. I got through the steps and tried starting with
`User clamav` but got a lot of permission errors in the logs when a file was
chmod'd 0600:
"/home/user/eicar-test.txt: Can't open file or directory ERROR"
Ok, this makes sense because `clamav` is not UID 0. How is clamonacc supposed
to scan files with restricted permissions? Many users can set a umask in their
~/.bashrc to create files with 0600. In multi-user environments, it's typical
to have /home/$USER set 0700 as well.
I changed to `User root` to see what happened, but then when using #vi on a
file in /tmp/, it would take a good minute to open and I would get errors like:
ERROR: ClamCom: TIMEOUT while waiting on socket (recv). The clamav docs[2]
seem to state running as 'root' is uneccesary:
"a system admin need only ensure clamd has the read and access permissions
necessary to deal with any file descriptors clamonacc may pass along. "
So, I changed back to `User clamav`.
I'd still like to monitor /tmp as it's a favorite place when any kind of
process needs to write a file so changed `TemporaryDirectory /var/lib/clamav/`
since it's not monitored by clamaonacc and maybe won't create a race condition
with it's own temp files.
These are the other edits I've made to /etc/clamav/clamd.conf. I'd like to
monitor /var/www since it's a writable place for the apache server (yeah, I
know, but web apps and webmasters write files and use plugins and this is where
they manage them, usually from a web console).
ExcludePath ^/proc
ExcludePath ^/sys
ExcludePath ^/run
ExcludePath ^/dev
ExcludePath ^/var/lib/lxcfs/cgroup
OnAccessPrevention yes
OnAccessExcludeUname clamav
OnAccessIncludePath /var/www
OnAccessIncludePath /home
OnAccessIncludePath /tmp
When I reboot however and clamd/clamonacc/freshclam come up, They can't seem to
find "/var/www" (permissions 0755). Why is this?
133857 ClamScanQueue: waiting to consume events ...
133858 ClamInotif: watching '/var/www' (and all sub-directories)
133859 ClamInotif: watching '/home' (and all sub-directories)
133860 ClamInotif: watching '/tmp' (and all sub-directories)
133861 Excluding temp directory: /var/lib/clamav/
133862 ClamInotif: NVM, didn't actually need to exclude '/var/lib/clamav/'
133863 ERROR: ClamInotif: could not watch path '/var/www', No such file or
directory
133864 ClamFanotif: attempting to feed consumer queue
Thanks for all your work on clamav! I'm trying not to sound complainy.
[1] https://docs.clamav.net/manual/OnAccess.html
[2] https://blog.clamav.net/2019/09/understanding-and-transitioning-to.html
_______________________________________________
clamav-users mailing list
[email protected]
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
