Bug#867877: clamav-daemon: please respect manual configuration

2017-08-30 Thread Sebastian Andrzej Siewior 
On 2017-08-21 15:22:49 [+0200], Luca Capello wrote:
> Hi there,
Hi,

> Given that no documentation was available, not even in the upstream
> files, I was lost, so this would be the first improvement.
> 
> I was not aware that upstream chose the "full-systemd path", so I guess
> changing that is a no-op, so at least the documentation must be fixed.

Oh well. It was submitted upstream and accepted. And since then I
reverted a part of it because it caused trouble. Now that I look at this
again, I am kind of leaning towards removing the socket part as well.
I can't currently figure out a reason why the socket-support via/by
systemd is a good thing. The auto-activation thing was one thing but
this bit us at least once. So if nothing changes I probably submit a
patch upstream to remove the socket support and then we will be back to
one config file again.

> Thx, bye,
> Gismo / Luca
> 

Sebasian

Bug#867877: clamav-daemon: please respect manual configuration

2017-08-21 Thread Luca Capello 
severity 867877 minor
tags 867877 + upstream
thanks

Hi there,

On Sun, 20 Aug 2017 19:08:15 +0200, Sebastian Andrzej Siewior wrote:
> On 2017-07-10 23:39:53 [+0200], To Luca Capello wrote:
> > On 2017-07-10 11:40:20 [+0200], Luca Capello wrote:
> > > while debugging why the TCP socket was not responding, I discovered that
> > > everything was fine if clamd was manually started via the CLI.  And then
> > > I found .
> > > 
> > > Please, this is becoming ridiculous:
> > > 
> > > - clamd works as expected with *its* own configuration
> > > - there is no documentation in /usr/share/doc/clamav-daemon about the
> > >   need to dpkg-reconfigure clamav-daemon to change parameters (and even
> > >   worse behavior)
> > > - non-Debian configuration via manual modifications or automatic tools
> > >   (e.g. ) is not respected
> > 
> > so what is the problem? You want additional documentation or somehow
> > changed behavior?
[...]
> > That systemd service file is part of upstream since a few releases. You
> > could argue if systemd's socket "feature" should be used or not or third
> > party tools extended to the extend.conf file in systemd's case. Or the
> > documentation updated.
> 
> If there is no feedback, I have no idea what I can/should do.

Given that no documentation was available, not even in the upstream
files, I was lost, so this would be the first improvement.

I was not aware that upstream chose the "full-systemd path", so I guess
changing that is a no-op, so at least the documentation must be fixed.

Thx, bye,
Gismo / Luca

-- 
Luca Capello
Administrateur GNU/Linux

Infomaniak Network SA


signature.asc
Description: Digital signature

Bug#867877: clamav-daemon: please respect manual configuration

2017-08-20 Thread Sebastian Andrzej Siewior 
On 2017-07-10 23:39:53 [+0200], To Luca Capello wrote:
> On 2017-07-10 11:40:20 [+0200], Luca Capello wrote:
> > Hi there,
> Hi,
> 
> > while debugging why the TCP socket was not responding, I discovered that
> > everything was fine if clamd was manually started via the CLI.  And then
> > I found .
> > 
> > Please, this is becoming ridiculous:
> > 
> > - clamd works as expected with *its* own configuration
> > - there is no documentation in /usr/share/doc/clamav-daemon about the
> >   need to dpkg-reconfigure clamav-daemon to change parameters (and even
> >   worse behavior)
> > - non-Debian configuration via manual modifications or automatic tools
> >   (e.g. ) is not respected
> 
> so what is the problem? You want additional documentation or somehow
> changed behavior?
> You have systemd as init that means that systemd will open the
> TCP-socket. Initially we had socket activation but this was disabled -
> however it still has the socket configuration via systemd. Using
> dpkg-reconfigure will do the right thing and properly create
>   /etc/systemd/system/clamav-daemon.socket.d/extend.conf
> with the socket information. If you run under systemd then this part of
> clamd.conf will be ignored. If you start this via CLI then it won't run
> under systemd (same goes for systemV as init) and the arguments are
> parsed again.
> 
> > The combination of all the above factors suggests me that the severity
> > is higher than important, but leaving at it for now.
> 
> That systemd service file is part of upstream since a few releases. You
> could argue if systemd's socket "feature" should be used or not or third
> party tools extended to the extend.conf file in systemd's case. Or the
> documentation updated.

If there is no feedback, I have no idea what I can/should do.

Sebastian

Bug#867877: clamav-daemon: please respect manual configuration

2017-07-10 Thread Sebastian Andrzej Siewior 
On 2017-07-10 11:40:20 [+0200], Luca Capello wrote:
> Hi there,
Hi,

> while debugging why the TCP socket was not responding, I discovered that
> everything was fine if clamd was manually started via the CLI.  And then
> I found .
> 
> Please, this is becoming ridiculous:
> 
> - clamd works as expected with *its* own configuration
> - there is no documentation in /usr/share/doc/clamav-daemon about the
>   need to dpkg-reconfigure clamav-daemon to change parameters (and even
>   worse behavior)
> - non-Debian configuration via manual modifications or automatic tools
>   (e.g. ) is not respected

so what is the problem? You want additional documentation or somehow
changed behavior?
You have systemd as init that means that systemd will open the
TCP-socket. Initially we had socket activation but this was disabled -
however it still has the socket configuration via systemd. Using
dpkg-reconfigure will do the right thing and properly create
  /etc/systemd/system/clamav-daemon.socket.d/extend.conf
with the socket information. If you run under systemd then this part of
clamd.conf will be ignored. If you start this via CLI then it won't run
under systemd (same goes for systemV as init) and the arguments are
parsed again.

> The combination of all the above factors suggests me that the severity
> is higher than important, but leaving at it for now.

That systemd service file is part of upstream since a few releases. You
could argue if systemd's socket "feature" should be used or not or third
party tools extended to the extend.conf file in systemd's case. Or the
documentation updated.

> Thx, bye,
> Gismo / Luca

Sebastian

Bug#867877: clamav-daemon: please respect manual configuration

2017-07-10 Thread Luca Capello 
Package: clamav-daemon
Version: 0.99.2+dfsg-0+deb8u2
Severity: important
User: product...@infomaniak.com
Usertags: infomaniak.com-virus

Hi there,

while debugging why the TCP socket was not responding, I discovered that
everything was fine if clamd was manually started via the CLI.  And then
I found .

Please, this is becoming ridiculous:

- clamd works as expected with *its* own configuration
- there is no documentation in /usr/share/doc/clamav-daemon about the
  need to dpkg-reconfigure clamav-daemon to change parameters (and even
  worse behavior)
- non-Debian configuration via manual modifications or automatic tools
  (e.g. ) is not respected

The combination of all the above factors suggests me that the severity
is higher than important, but leaving at it for now.

Thx, bye,
Gismo / Luca

-- Package-specific info:
--- configuration ---
Checking configuration files in /etc/clamav

Config file: clamd.conf
---
LogFile = "/var/log/clamav/clamav.log"
StatsHostID = "auto"
StatsEnabled disabled
StatsPEDisabled = "yes"
StatsTimeout = "10"
LogFileUnlock disabled
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogClean disabled
LogSyslog disabled
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
LogRotate = "yes"
ExtendedDetectionInfo = "yes"
PidFile disabled
TemporaryDirectory disabled
DatabaseDirectory = "/var/lib/clamav"
OfficialDatabaseOnly disabled
LocalSocket = "/var/run/clamav/clamd.ctl"
LocalSocketGroup = "clamav"
LocalSocketMode = "666"
FixStaleSocket = "yes"
TCPSocket disabled
TCPAddr disabled
MaxConnectionQueueLength = "15"
StreamMaxLength = "26214400"
StreamMinPort = "1024"
StreamMaxPort = "2048"
MaxThreads = "12"
ReadTimeout = "180"
CommandReadTimeout = "5"
SendBufTimeout = "200"
MaxQueue = "100"
IdleTimeout = "30"
ExcludePath disabled
MaxDirectoryRecursion = "15"
FollowDirectorySymlinks disabled
FollowFileSymlinks disabled
CrossFilesystems = "yes"
SelfCheck = "3600"
DisableCache disabled
VirusEvent disabled
ExitOnOOM disabled
AllowAllMatchScan = "yes"
Foreground disabled
Debug disabled
LeaveTemporaryFiles disabled
User = "clamav"
AllowSupplementaryGroups disabled
Bytecode = "yes"
BytecodeSecurity = "TrustSigned"
BytecodeTimeout = "6"
BytecodeUnsigned disabled
BytecodeMode = "Auto"
DetectPUA disabled
ExcludePUA disabled
IncludePUA disabled
AlgorithmicDetection = "yes"
ScanPE = "yes"
ScanELF = "yes"
DetectBrokenExecutables disabled
ScanMail = "yes"
ScanPartialMessages disabled
PhishingSignatures = "yes"
PhishingScanURLs = "yes"
PhishingAlwaysBlockCloak disabled
PhishingAlwaysBlockSSLMismatch disabled
PartitionIntersection disabled
HeuristicScanPrecedence disabled
StructuredDataDetection disabled
StructuredMinCreditCardCount = "3"
StructuredMinSSNCount = "3"
StructuredSSNFormatNormal = "yes"
StructuredSSNFormatStripped disabled
ScanHTML = "yes"
ScanOLE2 = "yes"
OLE2BlockMacros disabled
ScanPDF = "yes"
ScanSWF = "yes"
ScanXMLDOCS = "yes"
ScanHWP3 = "yes"
ScanArchive = "yes"
ArchiveBlockEncrypted disabled
ForceToDisk disabled
MaxScanSize = "104857600"
MaxFileSize = "26214400"
MaxRecursion = "16"
MaxFiles = "1"
MaxEmbeddedPE = "10485760"
MaxHTMLNormalize = "10485760"
MaxHTMLNoTags = "2097152"
MaxScriptNormalize = "5242880"
MaxZipTypeRcg = "1048576"
MaxPartitions = "50"
MaxIconsPE = "100"
MaxRecHWP3 = "16"
PCREMatchLimit = "1"
PCRERecMatchLimit = "5000"
PCREMaxFileSize = "26214400"
ScanOnAccess disabled
OnAccessMountPath disabled
OnAccessIncludePath disabled
OnAccessExcludePath disabled
OnAccessExcludeUID disabled
OnAccessMaxFileSize = "5242880"
OnAccessDisableDDD disabled
OnAccessPrevention disabled
OnAccessExtraScanning disabled
DevACOnly disabled
DevACDepth disabled
DevPerformance disabled
DevLiblog disabled
DisableCertCheck disabled

Config file: freshclam.conf
---
StatsHostID disabled
StatsEnabled disabled
StatsTimeout disabled
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogSyslog disabled
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
LogRotate = "yes"
PidFile disabled
DatabaseDirectory = "/var/lib/clamav"
Foreground disabled
Debug disabled
AllowSupplementaryGroups disabled
UpdateLogFile = "/var/log/clamav/freshclam.log"
DatabaseOwner = "clamav"
Checks = "24"
DNSDatabaseInfo = "current.cvd.clamav.net"
DatabaseMirror = "db.local.clamav.net", "database.clamav.net"
PrivateMirror disabled
MaxAttempts = "5"
ScriptedUpdates = "yes"
TestDatabases = "yes"
CompressLocalDatabase disabled
ExtraDatabase disabled
DatabaseCustomURL disabled
HTTPProxyServer disabled
HTTPProxyPort disabled
HTTPProxyUsername disabled
HTTPProxyPassword disabled
HTTPUserAgent disabled
NotifyClamd = "/etc/clamav/clamd.conf"
OnUpdateExecute disabled
OnErrorExecute disabled
OnOutdatedExecute disabled
LocalIPAddress disabled
ConnectTimeout = "30"
ReceiveTimeout = "30"
SubmitDetectionStats disabled
DetectionStatsCountry disabled
DetectionStatsHostID disabled
SafeBrowsing disabled
Bytecode = "yes"