On 2024-11-13 10:21:28 [+0000], Alain Knaff wrote:
> Hi,
Hi,

> By default, clamonacc fails to scan any non-publically readable file
> with the following error:
> 
> File patch check failure: Permission denied. Error
> 
> Some research found the following pages about this, which seem to
> suggest adding --fdpass (or --stream) to /usr/sbin/clamonacc command
> line parameters.
> 
> https://github.com/Cisco-Talos/clamav/issues/1050
> https://www.securiteinfo.com/clamav-antivirus/fixing-most-common-issues-encountered-with-clamav.shtml
> 
> So, clamonacc should be started as follows from
> /usr/lib/systemd/system/clamav-clamonacc.service :
> 
> ExecStart=/usr/sbin/clamonacc --fdpass -F --log=/var/log/clamav/clamonacc.log 
> --move=/root/quarantine
> 
>  From what I understood, clamonacc spawns an unprivileged sub process to
> perform the actual scanning, and by default the sub process attempts to
> open the file to be scanned itself, as an unprivileged user.
> 
> --fdpass or --checkpass instead have the (privileged) parent open the
> file, and pass the file descriptor to the child, avoiding the issue.

This works if the unix socket is used for the communication with clamd.
If I'm not mistaken the clamonacc runs as root but clamd does not. So it
might not be able to access the file in question.
You can't pass this via config file so commandline is the only option.
Overwritting the service file is not an option?

> Moreover, the /root/quarantine directory is not created by the install
> scripts, leading to an non-function clamonacc, because it has nowhere to
> move infected files to.

This is correct. If postinst creates it then postrm would have to remove
it. You need to setup all the OnAcc* entries. Would it work to also
decide where the files should be moved to?

> Thanks,

Sebastian

Reply via email to