Bug#823864: [pkg-lxc-devel] Bug#823864: Bug#823864: libpam-cgfs: installing libpam-cgfs from backport on stable prevent session from opening

[Xavier Quost]

Hi Evgeni

I confirm that  I can't reproduce the bug with kernel 
linux-image-4.6.0-0.bpo.1-amd64 4.6.1-1~bpo8+1

I had no opportunity to look at stretch for the moment

i have no issue with the bug being closed since upgrading backport kernel 
solves the problem.

Thanks for your efforts

Best regards

Xavier 

--
Xavier Quost

Bug#823864: [pkg-lxc-devel] Bug#823864: libpam-cgfs: installing libpam-cgfs from backport on stable prevent session from opening

[Xavier Quost]

You have done most of the work

Thank you

--
Xavier Quost

> Le 16 juin 2016 à 21:00, Evgeni Golov <evg...@golov.de> a écrit :
> 
> Hi,
> 
> On Sun, Jun 05, 2016 at 05:41:58PM +0200, Xavier Quost wrote:
> 
>>> Any pointers how to reproduce your setup would be awesome.
>> 
>> Yes, and good news, I was able to precise the problem and to reproduce it on 
>> another jessie + backports box :
>> 
>> To reproduce the problem, both boxes need :
>> (1) sysinit (no systemd) as system startup
>> (2) cgroupfs-mount installed
> 
> One thing was missing from that list: libpam-systemd.
> I was able to reproduce this by taking a plain jessie vm and installing the 
> following:
> - libpam-cgfs
> - cgroupfs-mount
> - sysvinit-core
> - libpam-systemd
> - linux-image-4.5.0-0.bpo.2-amd64
> 
> Not using kernel 4.5.x does not trigger the issue.
> 
>> Please, what would be the following steps ?
> 
> I guess this is an issue somewhere between the new cgroups in 4.5 and 
> systemd-shim.
> I'll try to pinpoint that futher when I have some time.
> 
> Thanks a lot for the report and helping to debug it so far!
> 
> Greets
> Evgeni

Bug#823864: [pkg-lxc-devel] Bug#823864: libpam-cgfs: installing libpam-cgfs from backport on stable prevent session from opening

[Xavier Quost]

Hi Evgeni


Still sorry for this late answer, I'm back home now and will be able to answer 
more quickly.


>Any pointers how to reproduce your setup would be awesome.

Yes, and good news, I was able to precise the problem and to reproduce it on 
another jessie + backports box :

To reproduce the problem, both boxes need :
(1) sysinit (no systemd) as system startup
(2) cgroupfs-mount installed


Both boxes use kernel 4.5.0-0.bpo.2-amd64


# dpkg --list | grep cgroup 
ii  cgmanager 0.33-2+deb8u2
amd64Central cgroup manager daemon
ii  cgroup-bin0.41-6   
all  control and monitor control groups (transitional package)
ii  cgroup-tools  0.41-6   
amd64control and monitor control groups (tools)
ii  cgroupfs-mount1.1  
all  Light-weight package to set up cgroupfs mounts
ii  libcgmanager0:amd64   0.33-2+deb8u2
amd64Central cgroup manager daemon (client library)
ii  libcgroup1:amd64  0.41-6   
amd64control and monitor control groups (library)
ii  libpam-cgfs   2.0.0-3~bpo8+1   
amd64PAM module for managing cgroups for LXC


# dpkg --list | grep sysvi  
ii  sysvinit-core 2.88dsf-59   
amd64System-V-like init utilities
ii  sysvinit-utils2.88dsf-59.3 
amd64System-V-like utilities

# stat /proc/1/exe
  Fichier : « /proc/1/exe » -> « /sbin/init »
   Taille : 0   Blocs : 0  Blocs d'E/S : 1024   lien symbolique
Périphérique : 4h/4dInœud : 14273   Liens : 1
Accès : (0777/lrwxrwxrwx)  UID : (0/root)   GID : (0/root)
 Accès : 2016-06-05 16:32:37.623997097 +0200
Modif. : 2016-06-05 16:32:37.619997096 +0200
Changt : 2016-06-05 16:32:37.619997096 +0200
  Créé : -


cgroupfs-mount change  /sys/fs/cgroup mount point 

without  this package :
# mount |grep "/sys/"
pstore on /sys/fs/pstore type pstore (rw,relatime)
fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime)
cgroup on /sys/fs/cgroup type tmpfs (rw,relatime,size=12k)

with this package

# mount |grep "/sys/"   
pstore on /sys/fs/pstore type pstore (rw,relatime)
fusectl on /sys/fs/fuse/connections type fusectl (rw,relatime)
cgroup on /sys/fs/cgroup type tmpfs (rw,relatime,size=12k)
cgroup on /sys/fs/cgroup/cpuset type cgroup 
(rw,relatime,cpuset,release_agent=/run/cgmanager/agents/cgm-release-agent.cpuset,clone_children)
cgroup on /sys/fs/cgroup/cpu type cgroup 
(rw,relatime,cpu,release_agent=/run/cgmanager/agents/cgm-release-agent.cpu)
cgroup on /sys/fs/cgroup/cpuacct type cgroup 
(rw,relatime,cpuacct,release_agent=/run/cgmanager/agents/cgm-release-agent.cpuacct)
cgroup on /sys/fs/cgroup/blkio type cgroup 
(rw,relatime,blkio,release_agent=/run/cgmanager/agents/cgm-release-agent.blkio)
cgroup on /sys/fs/cgroup/devices type cgroup 
(rw,relatime,devices,release_agent=/run/cgmanager/agents/cgm-release-agent.devices)
cgroup on /sys/fs/cgroup/freezer type cgroup 
(rw,relatime,freezer,release_agent=/run/cgmanager/agents/cgm-release-agent.freezer)
cgroup on /sys/fs/cgroup/net_cls type cgroup 
(rw,relatime,net_cls,release_agent=/run/cgmanager/agents/cgm-release-agent.net_cls)
cgroup on /sys/fs/cgroup/perf_event type cgroup 
(rw,relatime,perf_event,release_agent=/run/cgmanager/agents/cgm-release-agent.perf_event)
cgroup on /sys/fs/cgroup/net_prio type cgroup 
(rw,relatime,net_prio,release_agent=/run/cgmanager/agents/cgm-release-agent.net_prio)
cgroup on /sys/fs/cgroup/pids type cgroup 
(rw,relatime,pids,release_agent=/run/cgmanager/agents/cgm-release-agent.pids)


I don't remember why this package was originally installed; I guess I was 
trying to install unprivileged lxc on the box.
I will retrace a step by step installation without this package to check if 
it's required for this purpose

Please, what would be the following steps ?

Thanks, Best regards

XQ

 

Bug#823864: [pkg-lxc-devel] Bug#823864: libpam-cgfs: installing libpam-cgfs from backport on stable prevent session from opening

[Xavier Quost]

Hi Evgeni

Sorry for this late answer.

> Strictly speaking bugs about backports should go to
> debian-backports@l.d.o and not the BTS, but I personally do not care, so
> lets keep it here for now.

Ok I will keep this in mind.


> Could you still provide stippets of auth.log and messages around that
> time? Just to crosscheck.

Here are auth.log with libpam-cgfs installed

May 19 11:37:31 pc251270 saslauthd[1938]: detach_tty  : master pid is: 1938
May 19 11:37:31 pc251270 saslauthd[1938]: ipc_init: listening on 
socket: /var/run/saslauthd/mux
May 19 11:37:31 pc251270 sshd[2371]: Server listening on 0.0.0.0 port 22.
May 19 11:37:31 pc251270 sshd[2371]: Server listening on :: port 22.
May 19 11:37:32 pc251270 sshd[2371]: Received signal 15; terminating.
May 19 11:37:32 pc251270 sshd[3058]: Server listening on 0.0.0.0 port 22.
May 19 11:37:32 pc251270 sshd[3058]: Server listening on :: port 22.
May 19 11:37:49 pc251270 kdm: :0[3246]: pam_unix(kdm:session): session opened 
for user xquost by (uid=0)
May 19 11:37:55 pc251270 login[3763]: pam_unix(login:session): session opened 
for user root by LOGIN(uid=0)
May 19 11:37:55 pc251270 login[3801]: ROOT LOGIN  on '/dev/tty1'
May 19 11:38:01 pc251270 login[3804]: pam_unix(login:session): session opened 
for user xquost by LOGIN(uid=0)
May 19 11:38:05 pc251270 login[3814]: pam_unix(login:auth): authentication 
failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost=  user=root
May 19 11:38:08 pc251270 login[3814]: FAILED LOGIN (1) on '/dev/tty1' FOR 
'root', Authentication failure
May 19 11:38:14 pc251270 login[3814]: FAILED LOGIN (2) on '/dev/tty1' FOR 
'root', Authentication failure
May 19 11:38:19 pc251270 login[3814]: pam_unix(login:session): session opened 
for user root by LOGIN(uid=0)
May 19 11:38:19 pc251270 login[3823]: ROOT LOGIN  on '/dev/tty1'
May 19 11:38:29 pc251270 saslauthd[1938]: server_exit : master exited: 1938
May 19 11:38:30 pc251270 sshd[3058]: Received signal 15; terminating.

As I was saying auth.log shows normal login (NB 2 false password as root to 
eased the research in log file)

Here are auth.log with libpam-cgfs uninstalled
May 19 11:40:00 pc251270 saslauthd[2063]: detach_tty  : master pid is: 2063
May 19 11:40:00 pc251270 saslauthd[2063]: ipc_init: listening on 
socket: /var/run/saslauthd/mux
May 19 11:40:00 pc251270 sshd[2416]: Server listening on 0.0.0.0 port 22.
May 19 11:40:00 pc251270 sshd[2416]: Server listening on :: port 22.
May 19 11:40:00 pc251270 sshd[2416]: Received signal 15; terminating.
May 19 11:40:00 pc251270 sshd[3110]: Server listening on 0.0.0.0 port 22.
May 19 11:40:00 pc251270 sshd[3110]: Server listening on :: port 22.
May 19 11:40:12 pc251270 kdm: :0[3298]: pam_unix(kdm:auth): authentication 
failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=xquost
May 19 11:40:22 pc251270 kdm: :0[3298]: pam_unix(kdm:session): session opened 
for user xquost by (uid=0)
May 19 11:40:31 pc251270 polkitd(authority=local): Registered Authentication 
Agent for unix-session:1 (system bus name :1.28 
[/usr/lib/kde4/libexec/polkit-kde-authentication-agent-1], object path 
/org/kde/PolicyKit1/AuthenticationAgent, locale fr_FR.UTF-8)
May 19 11:40:39 pc251270 su[4207]: Successful su for root by xquost
May 19 11:40:39 pc251270 su[4207]: + /dev/pts/0 xquost:root
May 19 11:40:39 pc251270 su[4207]: pam_unix(su:session): session opened for 
user root by xquost(uid=1000)


> Do you mean you have other Jessie systems where libpam-cgfs does not
> trigger this behaviour?
Yes, but on those systems, there was no attempt to install lxc

> Do you by any chance have SELinux or AppArmor enabled on these boxes?
Yes, apparmor comes as a requirement of lxc



# apt-get install -t jessie-backports  lxc 
Lecture des listes de paquets... Fait
Construction de l'arbre des dépendances   
Lecture des informations d'état... Fait
Les paquets suivants ont été installés automatiquement et ne sont plus 
nécessaires :
 linux-headers-4.4.0-0.bpo.1-amd64 linux-headers-4.4.0-0.bpo.1-common 
linux-image-4.4.0-0.bpo.1-amd64 linux-kbuild-4.4
Veuillez utiliser « apt-get autoremove » pour les supprimer.
Les paquets supplémentaires suivants seront installés : 
 apparmor libapparmor-perl libapparmor1 liblxc1 libpam-cgfs libseccomp2 lxcfs
Paquets suggérés :
 apparmor-profiles apparmor-profiles-extra apparmor-docs apparmor-utils 
btrfs-tools lua5.2 lvm2
Les NOUVEAUX paquets suivants seront installés :
 apparmor libapparmor-perl libapparmor1 liblxc1 libpam-cgfs libseccomp2 lxc 
lxcfs
0 mis à jour, 8 nouvellement installés, 0 à enlever et 25 non mis à jour.
Il est nécessaire de prendre 37,0 ko/1 506 ko dans les archives.
Après cette opération, 4 891 ko d'espace disque supplémentaires seront utilisés.
Souhaitez-vous continuer ? [O/n] n

however before filling this bug report, lxc and apparmor were removed

dpkg -l |grep appar 
rc  apparmor  2.9.0-3  
amd64User-space parser 

Bug#822444: Solved

[Xavier Quost]

Hello Sebastian

>> remarks : 
>> (1) I have made no editing of clamd.conf file (but still not an excuse for 
>> not checking this file). It's a file resulting (not provided by) from 
>> installation of clamav-daemon package.
>> (2) It seems that starting clamd by sysinit does not enforce right 
>> permissions (  shall I open a bug report for that ?  ).
> 
> can you describe the problem a little?

Just saying what you wrote below
(1) default for clamd is AllowSupplementaryGroups false
(2) when starting with sysinit this option is not taken into account 


>> (3) are not AllowSupplementaryGroups and LocalSocketMode somehow 
>> contradictory ?
> 
> No I don't think so. AllowSupplementaryGroups is basically what enables
> the user of all groups which are part of the clamav user. The second is
> just the socket mode.
> The problem here, as far as I understand it, is that clamsmtp keeps the
> folder + files owned by the clamsmtp group and without the option clamd
> is not part of the group and can't access them.

Ok thanks for explaining 

> Now going forward on fixing this. On one hand the problem is not setting
> AllowSupplementaryGroups to yes. Since clamsmtp adds the clamsmtp group
> to the clamav group it would be their job let the user know to do so.
> On the other we have different behaviour between systemd and systemv
> which is not good.
> Anyone an idea what we should do here? I am kind of leaning towards
> removing the AllowSupplementaryGroups option and makeing it on by default
> since I see currently no reason why one would not want that.

Basically I was cloning configuration for mail server from wheezy to Jessie  
and could not understand my mistake. Confronting configuration files between 
wheezy and Jessie seeing nothing relevant lead me to look at init process.

A simple comment in clamd configuration files like "clamd started with systemd 
is enforcing strongly this options whereas started with sysinit it might not" 
would have been enough for not bothering you.


Best regards and thanks for your kind explanations.

XQ

Bug#822444: Solved

[Xavier Quost]

Hello Sebastian

 
> A lot of the stuff in clamav-daemon is legacy stuff and solved in
> systemd differently. To give an example:
> - we pass `-c /etc/clamav/clamd.conf' in the non-systemd case. But this
>   is the default settings so we could drop it. Therefore it makes no
>   difference if you pass this in systemd case or not (nothing changes).
> - In the systemv case we start the daemon via start-stop-daemon and pass
>   the user from the config as an argument. We could however start clamd
>   as root and let the daemon itself change the user to whatever is
>   selected in clamd.conf. This is what happens in the systemd case.Solvede

Thanks, so no use to specify configuration file in systemd clamav-daemon.service
 
> I installed clamsmtp and been looking a little around and I think I
> found the problem: You clamd.conf says
>   AllowSupplementaryGroups disabled
> but clamsmtp adds the group clamsmtp to the clamav user:
> # id clamav
> uid=108(clamav) gid=113(clamav) groups=113(clamav),114(clamsmtp)
> 
> With this option set to disabled / false clamav has only access to the
> clamav user+group. I think if you revert your changes and instead set
> true here (to AllowSupplementaryGroups) then it should work again. I
> *think* systemd + start-stop-daemon do this by default and that is why
> we did not notice this before.
> Could you please check if this change works for you?

Yes it solves the problem.
Sorry for not having look further than user in clamd.conf configuration file.


remarks : 
(1) I have made no editing of clamd.conf file (but still not an excuse for not 
checking this file). It's a file resulting (not provided by) from installation 
of clamav-daemon package.
(2) It seems that starting clamd by sysinit does not enforce right permissions 
(  shall I open a bug report for that ?  ).
(3) are not AllowSupplementaryGroups and LocalSocketMode somehow contradictory ?


Best regards
XQ

Bug#822444: Found the problem

[Xavier Quost]

Hello Sebastian, 

I found the problem, and we were both right (that's worth saying :-))

It seems that systemd doesn't start clamd daemon with the right user / group 
that's why the rigth on the socket are not consistent when clamav-daemon 
(clamd) is started by systemd.

lstat() failed on: /var/spool/clamsmtp/clamsmtpd.EfRJY5


The following modification solve the problem:  


/lib/systemd/system/clamav-daemon.service 
--
[Unit]
Description=Clam AntiVirus userspace daemon
Documentation=man:clamd(8) man:clamd.conf(5) http://www.clamav.net/lang/en/doc/
Requires=clamav-daemon.socket
# Check for database existence
ConditionPathExistsGlob=/var/lib/clamav/main.{c[vl]d,inc}
ConditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc}

[Service]
#ExecStart=/usr/sbin/clamd --foreground=true
# XQ 26/04/2016  add config file
ExecStart=/usr/sbin/clamd -c /etc/clamav/clamd.conf --foreground=true 
ExecReload=/bin/kill -USR2 $MAINPID
StandardOutput=syslog
# XQ 26/04/2016  add user and group
User=clamav
Group=clamav
--

Specifying User / Group seems enough, however to be sure I added the config 
file in the  ExecStart  line.


I made also the same for  clamav-freshclam.service

--
[Unit]
Description=ClamAV virus database updater
Documentation=man:freshclam(1) man:freshclam.conf(5) 
http://www.clamav.net/lang/en/doc/
# If user wants it run from cron, don't start the daemon.
ConditionPathExists=!/etc/cron.d/clamav-freshclam

[Service]
#ExecStart=/usr/bin/freshclam -d --foreground=true
## XQ 26/04/2016 adding conf files and others options not sure that's useful
ExecStart=/usr/bin/freshclam -d --quiet 
--config-file=/etc/clamav/freshclam.conf --foreground=true 
StandardOutput=syslog
## XQ 26/04/2016 adding a kill options not sure that's useful
ExecReload=/bin/kill -USR2 $MAINPID
# XQ 26/04/2016  add user and group
User=clamav
Group=clamav

[Install]
WantedBy=multi-user.target
-



I'm not familiar with systemd, however I'm surprised that when 
/etc/init.d/clamav-daemon is somethink like 400 lines, systemd is something 
like 10 lines.
But still I'm not familiar with systemd.



Please would you tell me if those modifications make sense, or if those shall 
be made elsewhere in the system.


Best regards

XQ

Bug#822444: [Pkg-clamav-devel] Bug#822444: clamav-daemon does not start with same options using sysinit and systemd

[Xavier Quost]

Dear Sebastian

Thanks for your quick answer. 


Le dimanche 24 avril 2016 21:07:16, vous avez écrit :
> On 2016-04-24 17:39:37 [+0200], xavier quost wrote:
> > It seems that clamav-daemon does not start with thes sames options when
> > using systemd or sysvinit. This leads to problem with clamsmtp / clamd
> > communication breaking mail checking systeme.
> From browsing through the logs here I can't spot the difference / error.


You are right except clamstmp error coming from postfix nothing give a clear  
error message.

I checked the /var/log/clamav.log (I should have started there, sorry)

some lines bothers me :

Sun Apr 24 21:36:52 2016 -> Received 0 file descriptor(s) from systemd.
vs
Sun Apr 24 17:11:21 2016 -> Received 1 file descriptor(s) from systemd.

nothing
vs
Sun Apr 24 17:11:21 2016 -> Running as user clamav (UID 126, GID 134)



Sun Apr 24 21:36:59 2016 -> LOCAL: Unix socket file /var/run/clamav/clamd.ctl
Sun Apr 24 21:36:59 2016 -> LOCAL: Setting connection queue length to 15
vs
Sun Apr 24 17:11:28 2016 -> TCP: No tcp AF_INET/AF_INET6 SOCK_STREAM socket 
received from systemd.
Sun Apr 24 17:11:28 2016 -> LOCAL: Received AF_UNIX SOCK_STREAM socket from 
systemd.

then the error corresponding to mail.info logs 

no error
vs
Sun Apr 24 17:14:02 2016 -> WARNING: lstat() failed on:  
/var/spool/clamsmtp/clamsmtpd.9g7gF4


This is the content when sysv start clamav-daemon

Sun Apr 24 21:36:52 2016 -> +++ Started at Sun Apr 24 21:36:52 2016
Sun Apr 24 21:36:52 2016 -> Received 0 file descriptor(s) from systemd.
Sun Apr 24 21:36:52 2016 -> clamd daemon 0.99 (OS: linux-gnu, ARCH: x86_64, 
CPU: x86_64)
Sun Apr 24 21:36:52 2016 -> Log file size limited to 4294967295bytes.
Sun Apr 24 21:36:52 2016 -> Reading databases from /var/lib/clamav
Sun Apr 24 21:36:52 2016 -> Not loading PUA signatures.
Sun Apr 24 21:36:52 2016 -> Bytecode: Security mode set to "TrustSigned".
Sun Apr 24 21:36:58 2016 -> Loaded 4300057 signatures.
Sun Apr 24 21:36:59 2016 -> LOCAL: Unix socket file /var/run/clamav/clamd.ctl
Sun Apr 24 21:36:59 2016 -> LOCAL: Setting connection queue length to 15
Sun Apr 24 21:36:59 2016 -> Limits: Global size limit set to 104857600 bytes.
Sun Apr 24 21:36:59 2016 -> Limits: File size limit set to 26214400 bytes.
Sun Apr 24 21:36:59 2016 -> Limits: Recursion level limit set to 16.
Sun Apr 24 21:36:59 2016 -> Limits: Files limit set to 1.
Sun Apr 24 21:36:59 2016 -> Limits: MaxEmbeddedPE limit set to 10485760 bytes.
Sun Apr 24 21:36:59 2016 -> Limits: MaxHTMLNormalize limit set to 10485760 
bytes.
Sun Apr 24 21:36:59 2016 -> Limits: MaxHTMLNoTags limit set to 2097152 bytes.
Sun Apr 24 21:36:59 2016 -> Limits: MaxScriptNormalize limit set to 5242880 
bytes.
Sun Apr 24 21:36:59 2016 -> Limits: MaxZipTypeRcg limit set to 1048576 bytes.
Sun Apr 24 21:36:59 2016 -> Limits: MaxPartitions limit set to 50.
Sun Apr 24 21:36:59 2016 -> Limits: MaxIconsPE limit set to 100.
Sun Apr 24 21:36:59 2016 -> Limits: PCREMatchLimit limit set to 1.
Sun Apr 24 21:36:59 2016 -> Limits: PCRERecMatchLimit limit set to 5000.
Sun Apr 24 21:36:59 2016 -> Limits: PCREMaxFileSize limit set to 26214400.
Sun Apr 24 21:36:59 2016 -> Archive support enabled.
Sun Apr 24 21:36:59 2016 -> Algorithmic detection enabled.
Sun Apr 24 21:36:59 2016 -> Portable Executable support enabled.
Sun Apr 24 21:36:59 2016 -> ELF support enabled.
Sun Apr 24 21:36:59 2016 -> Mail files support enabled.
Sun Apr 24 21:36:59 2016 -> OLE2 support enabled.
Sun Apr 24 21:36:59 2016 -> PDF support enabled.
Sun Apr 24 21:36:59 2016 -> SWF support enabled.
Sun Apr 24 21:36:59 2016 -> HTML support enabled.
Sun Apr 24 21:36:59 2016 -> Self checking every 3600 seconds.



and this when systemd start clamav-daemon

Sun Apr 24 17:11:21 2016 -> +++ Started at Sun Apr 24 17:11:21 2016
Sun Apr 24 17:11:21 2016 -> Received 1 file descriptor(s) from systemd.
Sun Apr 24 17:11:21 2016 -> clamd daemon 0.99 (OS: linux-gnu, ARCH: x86_64, 
CPU: x86_64)
Sun Apr 24 17:11:21 2016 -> Running as user clamav (UID 126, GID 134)
Sun Apr 24 17:11:21 2016 -> Log file size limited to 4294967295bytes.
Sun Apr 24 17:11:21 2016 -> Reading databases from /var/lib/clamav
Sun Apr 24 17:11:21 2016 -> Not loading PUA signatures.
Sun Apr 24 17:11:21 2016 -> Bytecode: Security mode set to "TrustSigned".
Sun Apr 24 17:11:27 2016 -> Loaded 4300057 signatures.
Sun Apr 24 17:11:28 2016 -> TCP: No tcp AF_INET/AF_INET6 SOCK_STREAM socket 
received from systemd.
Sun Apr 24 17:11:28 2016 -> LOCAL: Received AF_UNIX SOCK_STREAM socket from 
systemd.
Sun Apr 24 17:11:28 2016 -> Limits: Global size limit set to 104857600 bytes.
Sun Apr 24 17:11:28 2016 -> Limits: File size limit set to 26214400 bytes.
Sun Apr 24 17:11:28 2016 -> Limits: Recursion level limit set to 16.
Sun Apr 24 17:1

Bug#822444: clamav-daemon does not start with same options using sysinit and systemd

[xavier quost]

Package: clamav-daemon
Version: 0.99+dfsg-0+deb8u2
Severity: important

Dear Maintainer,

It seems that clamav-daemon does not start with thes sames options when using 
systemd or sysvinit.
This leads to problem with clamsmtp / clamd communication breaking mail 
checking systeme.

when using sysv 

## check sysv
# pidof /sbin/init 
1
# pidof systemd  
zsh: exit 1 pidof systemd


clamd process is started with those default options :
# ps -ef |grep clam   
clamav6673 1  0 16:53 ?00:00:00 /usr/bin/freshclam -d --quiet 
--config-file=/etc/clamav/freshclam.conf --pid=/run/clamav/freshclam.pid
clamav8357 1  0 16:57 ?00:00:00 /usr/sbin/clamd -c 
/etc/clamav/clamd.conf --pid=/run/clamav/clamd.pid
clamsmtp  8409 1  0 16:58 ?00:00:00 /usr/sbin/clamsmtpd
root  8430  4011  0 16:58 pts/000:00:00 grep clam


and communication between clamsmtp and clamd works (extract from mail.info) :
Apr 24 16:59:47 pc251270 postfix/pickup[3311]: 39761221B8E: uid=0 from=
Apr 24 16:59:47 pc251270 postfix/cleanup[8443]: 39761221B8E: 
message-id=<20160424145947.39761221...@pc251270.valfontenay.ratp>
Apr 24 16:59:47 pc251270 postfix/qmgr[3312]: 39761221B8E: 
from=, size=459, nrcpt=1 (queue active)
Apr 24 16:59:47 pc251270 clamsmtpd: 10: accepted connection from: 127.0.0.1
Apr 24 16:59:47 pc251270 postfix/smtpd[8447]: connect from localhost[127.0.0.1]
Apr 24 16:59:47 pc251270 postfix/smtpd[8447]: 4956C221DD1: 
client=localhost[127.0.0.1]
Apr 24 16:59:47 pc251270 postfix/cleanup[8443]: 4956C221DD1: 
message-id=<20160424145947.39761221...@pc251270.valfontenay.ratp>
 

switching to systemd (and rebooting ;-)) )


## check systemd
# pidof systemd   
1188
# pidof /sbin/init
1190 1188 1


## it seems that clamav-daemon is no more start with good options
# ps -ef |grep clam  
clamav 678 1  0 17:11 ?00:00:00 /usr/bin/freshclam -d 
--foreground=true
clamsmtp   747 1  0 17:11 ?00:00:00 /usr/sbin/clamsmtpd
clamav 791 1  7 17:11 ?00:00:07 /usr/sbin/clamd 
--foreground=true
root  1996  1733  0 17:12 pts/000:00:00 grep clam


Communication beetween clamsmtp and clamd is now failing 
Apr 24 17:14:02 pc251270 postfix/pickup[1163]: 3CC4F221B8E: uid=1000 
from=
Apr 24 17:14:02 pc251270 postfix/cleanup[2006]: 3CC4F221B8E: 
message-id=<20160424151402.3cc4f221...@pc251270.valfontenay.ratp>
Apr 24 17:14:02 pc251270 postfix/qmgr[1164]: 3CC4F221B8E: 
from=, size=473, nrcpt=1 (queue active)
Apr 24 17:14:02 pc251270 clamsmtpd: 10: accepted connection from: 127.0.0.1
Apr 24 17:14:02 pc251270 postfix/smtpd[2010]: connect from localhost[127.0.0.1]
Apr 24 17:14:02 pc251270 postfix/smtpd[2010]: 535FA221DD1: 
client=localhost[127.0.0.1]
Apr 24 17:14:02 pc251270 clamsmtpd: 10: clamav error: 
/var/spool/clamsmtp/clamsmtpd.9g7gF4: lstat() failed: Permission denied. ERROR
Apr 24 17:14:02 pc251270 clamsmtpd: 10: 
from=xqu...@pc251270.valfontenay.ratp, to=xquost@localhost, status=CLAMAV-ERROR

Thanks, best regards

XQ


Clamsmtp configuration file :
# --
#SAMPLE CLAMSMTPD CONFIG FILE
# --
# 
# - Comments are a line that starts with a #
# - All the options are found below with their defaults commented out


# The address to send scanned mail to. 
# This option is required unless TransparentProxy is enabled
OutAddress: 10026

# The maximum number of connection allowed at once.
# Be sure that clamd can also handle this many connections
#MaxConnections: 64

# Amount of time (in seconds) to wait on network IO
#TimeOut: 180

# Address to listen on (defaults to all local addresses on port 10025)
Listen: 127.0.0.1:10025

# The address clamd is listening on
ClamAddress: /var/run/clamav/clamd.ctl

# A header to add to all scanned email
#Header: X-AV-Checked: ClamAV using ClamSMTP

# Directory for temporary files
TempDirectory: /var/spool/clamsmtp

# PidFile: location of PID file
PidFile: /var/run/clamsmtp/clamsmtpd.pid

# Whether or not to bounce email (default is to silently drop)
#Bounce: off

# Whether or not to keep virus files 
#Quarantine: off

# Enable transparent proxy support 
#TransparentProxy: off

# User to run as
User: clamsmtp

# Virus actions: There's an option to run a script every time a 
# virus is found. Read the man page for clamsmtpd.conf for details.



-- Package-specific info:
--- configuration ---
Checking configuration files in /etc/clamav

Config file: clamd.conf
---
LogFile = "/var/log/clamav/clamav.log"
StatsHostID = "auto"
StatsEnabled disabled
StatsPEDisabled = "yes"
StatsTimeout = "10"
LogFileUnlock disabled
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogClean disabled
LogSyslog disabled
LogFacility = "LOG_LOCAL6"