https://bugzilla.redhat.com/show_bug.cgi?id=1028653
Bug ID: 1028653
Summary: Freshclam cannot notify clamd of database updates due
to permission denied
Product: Fedora
Version: 19
Component: amavisd-new
Severity: low
Assignee: st...@silug.org
Reporter: rocketra...@gmail.com
QA Contact: extras...@fedoraproject.org
CC: enrico.sch...@informatik.tu-chemnitz.de,
kana...@kanarip.com,
perl-devel@lists.fedoraproject.org,
redhat-bugzi...@linuxnetz.de, st...@silug.org
The problem initially reported in Bug #548234 is happening again. Here are the
permissions on /var/spool/amavisd with a default installation of amavisd-new:
# ls -ld /var/spool/amavisd
drwx--x---. 8 amavis amavis 4096 May 10 13:27 /var/spool/amavisd
# rpm -q --info amavisd-new
Name : amavisd-new
Version : 2.8.0
Release : 5.fc19
The permissions and group ownership for /var/spool/amavisd should be:
# ls -ld /var/spool/amavisd
drwxrwx---. 8 amavis clamupdate 4096 May 10 13:27 /var/spool/amavisd
^^^ ^^^^^^^^^^
+++ This bug was initially created as a clone of Bug #548234 +++
clamav-update (freshclam) is unable to notify clamav of updates to the database
via local socket.
This is on a fresh newly installed Fedora 12 system (not an upgrade). The
following package versions are installed:
clamav-0.95.2-5.fc12.i686
clamav-lib-0.95.2-5.fc12.i686
clamav-server-0.95.2-5.fc12.i686
clamav-filesystem-0.95.2-5.fc12.noarch
clamav-update-0.95.2-5.fc12.i686
clamav-data-0.95.2-5.fc12.noarch
amavisd-new-2.6.4-1.fc12.noarch
How reproducible:
Every time.
Steps to Reproduce:
1. Delete /var/lib/clamav/daily.cld
2. Run freshclam
Actual results:
Freshclam gets the following error:
WARNING: Clamd was NOT notified: Can't connect to clamd through
/var/spool/amavisd/clamd.sock
connect(): Permission denied
Expected results:
Notify works correctly.
Additional info:
I have configured /etc/freshclam.conf with
AllowSupplementaryGroups yes
and also added the clamupdate user to the amavis group:
# grep -E "(amavis|clamupdate)" /etc/passwd
clamupdate:x:490:471:Clamav database update user:/var/lib/clamav:/sbin/nologin
amavis:x:489:470::/var/spool/amavisd:/sbin/nologin
# grep -E "(amavis|clamupdate)" /etc/group
clamupdate:x:471:
amavis:x:470:clamupdate
I can also confirm that freshclam is using the clamupdate user and is loading
the supplementary amavis group via strace, where I can see this information
near the top of the trace:
setgroups32(2, [471, 470]) = 0
setgid32(471) = 0
setuid32(490) = 0
However, freshclam still fails. This is the access failure from the strace:
connect(5, {sa_family=AF_FILE, path="/var/spool/amavisd/clamd.sock"}, 110) = -1
EACCES (Permission denied)
Permissions on the clamd.sock file are as follows:
# ls -l /var/spool/amavisd/clamd.sock
srwxrwxrwx 1 amavis amavis 0 2009-12-16 19:04 /var/spool/amavisd/clamd.sock
# stat /var/spool/amavisd/clamd.sock
File: `/var/spool/amavisd/clamd.sock'
Size: 0 Blocks: 0 IO Block: 4096 socket
Device: fd01h/64769d Inode: 5243668 Links: 1
Access: (0777/srwxrwxrwx) Uid: ( 489/ amavis) Gid: ( 470/ amavis)
Access: 2009-12-16 19:07:10.706297129 -0500
Modify: 2009-12-16 19:04:36.167296751 -0500
Change: 2009-12-16 19:04:36.167296751 -0500
--- Additional comment from Enrico Scholz on 2009-12-17 03:38:52 EST ---
what are the permissions for the /var/spool/amavisd directory? Are there
SELinux avcs?
--- Additional comment from Raman Gupta on 2009-12-17 12:04:13 EST ---
Yup, /var/spool/amavisd directory permissions are set to 700 -- sorry I should
have noticed that. Changing them to 770 works.
Should changing these directory perms be permanently applied to the amavisd-new
package? The user/group is amavis and the amavis group has no other users in it
by default, so changing the perms to 770 is effectively the same access level
by default. However, changing the perm to 770 in the package would allow clamav
notifications to work as expected out of the box (with the appropriate config
and supplementary group entries of course, but a user expects to make those)
[1]. It would also prevent people's notifications from breaking every time
there is an update to the amavisd-new package, and the directory permissions
are reset.
If you think this is a good idea, could you change the component to amavisd-new
and mark this as an "enhancement"?
[1] Note I don't have selinux enabled so perhaps there might be a package
change to selinux perms as well.
--- Additional comment from Enrico Scholz on 2010-01-17 05:06:24 EST ---
reassigned to amavisd-new
--- Additional comment from Bug Zapper on 2010-11-03 23:09:21 EDT ---
This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora
'version' of '12'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version prior to Fedora 12's end of life.
Bug Reporter: Thank you for reporting this issue and we are sorry that
we may not be able to fix it before Fedora 12 is end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora please change the 'version' of this
bug to the applicable version. If you are unable to change the version,
please add a comment here and someone will do it for you.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
The process we are following is described here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
--- Additional comment from Raman Gupta on 2010-12-01 23:21:45 EST ---
This is still a problem on Fedora 14 (freshly installed system).
A workaround is to use the yum-plugin-post-transaction-actions plugin to change
the permissions of /var/spool/amavisd after every update to the amavisd
package. However, that really shouldn't be necessary.
--- Additional comment from Fedora Update System on 2011-09-18 22:39:47 EDT ---
amavisd-new-2.6.6-1.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/amavisd-new-2.6.6-1.fc15
--- Additional comment from Fedora Update System on 2011-09-18 22:40:31 EDT ---
amavisd-new-2.6.6-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/amavisd-new-2.6.6-1.fc16
--- Additional comment from Fedora Update System on 2011-09-19 14:31:17 EDT ---
Package amavisd-new-2.6.6-1.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing amavisd-new-2.6.6-1.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/amavisd-new-2.6.6-1.fc16
then log in and leave karma (feedback).
--- Additional comment from Fedora Update System on 2011-10-02 14:14:46 EDT ---
amavisd-new-2.6.6-1.fc16 has been pushed to the Fedora 16 stable repository.
If problems still persist, please make note of it in this bug report.
--- Additional comment from Fedora Update System on 2011-10-02 19:06:03 EDT ---
amavisd-new-2.6.6-1.fc15 has been pushed to the Fedora 15 stable repository.
If problems still persist, please make note of it in this bug report.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=PDTqA931lY&a=cc_unsubscribe
--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
perl-devel mailing list
perl-devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/perl-devel
