[Bug 1930393] Re: any local user can shut clamd down via control socket
** Tags removed: server-triage-discuss -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930393 Title: any local user can shut clamd down via control socket To manage notifications about this bug go to: https://bugs.launchpad.net/clamav/+bug/1930393/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930393] Re: any local user can shut clamd down via control socket
Still no updates in the upstream bug. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930393 Title: any local user can shut clamd down via control socket To manage notifications about this bug go to: https://bugs.launchpad.net/clamav/+bug/1930393/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930393] Re: any local user can shut clamd down via control socket
No real movement happened upstream or in Debian. I'm not sure we should consider this Triaged, as strictly speaking this is not even a bug (as Seth noted in comment 1), and there's nothing we can actually do to make the situation better. Even upstream doesn't have clear plans or suggestions. I'm leaving it Triaged for now, let's see what we think at the next "stale bugs triage" round :-) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930393 Title: any local user can shut clamd down via control socket To manage notifications about this bug go to: https://bugs.launchpad.net/clamav/+bug/1930393/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930393] Re: any local user can shut clamd down via control socket
** Changed in: clamav (Debian) Status: Unknown => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930393 Title: any local user can shut clamd down via control socket To manage notifications about this bug go to: https://bugs.launchpad.net/clamav/+bug/1930393/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930393] Re: any local user can shut clamd down via control socket
The bug has been forwarded upstream, so I'm marking it as such. ** Also affects: clamav (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989549 Importance: Unknown Status: Unknown ** Bug watch added: bugzilla.clamav.net/ #12782 https://bugzilla.clamav.net/show_bug.cgi?id=12782 ** Changed in: clamav Status: Confirmed => Unknown ** Changed in: clamav Remote watch: Debian Bug tracker #989549 => bugzilla.clamav.net/ #12782 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930393 Title: any local user can shut clamd down via control socket To manage notifications about this bug go to: https://bugs.launchpad.net/clamav/+bug/1930393/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930393] Re: any local user can shut clamd down via control socket
** Changed in: clamav Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930393 Title: any local user can shut clamd down via control socket To manage notifications about this bug go to: https://bugs.launchpad.net/clamav/+bug/1930393/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930393] Re: any local user can shut clamd down via control socket
Thanks for filing the bug in debian, and I agree that's the right place to continue discussions. You also mentioned in the original bug some aspects (such as auth on incoming connections) should be addressed upstream, so you may want to also file bug reports there. >From that, if there come to be solutions in the form of backportable patches, definitely mention them on this bug report and we can consider SRUing them to focal's clamav if appropriate. (My guess is that any new auth functionality will be implemented as a new feature, and as such may not be suitable for SRU, but am setting Importance to Medium in hopes there'll be at least some backportable elements.) Looking forward to seeing how the upstream discussions proceed, thanks again! ** Changed in: clamav (Ubuntu) Importance: Undecided => Medium ** Changed in: clamav (Ubuntu) Status: Confirmed => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930393 Title: any local user can shut clamd down via control socket To manage notifications about this bug go to: https://bugs.launchpad.net/clamav/+bug/1930393/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930393] Re: any local user can shut clamd down via control socket
> Hello Stephane, maybe joining the amavisd-new user's to the clamav group would be a simpler way around the stricter socket permissions you are proposing? Hi Simon, No, as I said in comment #4, that doesn't work as amavisd-new doesn't set supplementary IDs, just does a setuid() and setgid() with the configured user and group. Also we don't want to give it access to all of clamav's restricted resources (mailbox, logs...), only the socket (which we'd only restrict here to mitigate this vulnerability). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930393 Title: any local user can shut clamd down via control socket To manage notifications about this bug go to: https://bugs.launchpad.net/clamav/+bug/1930393/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930393] Re: any local user can shut clamd down via control socket
Hello Stephane, maybe joining the amavisd-new user's to the clamav group would be a simpler way around the stricter socket permissions you are proposing? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930393 Title: any local user can shut clamd down via control socket To manage notifications about this bug go to: https://bugs.launchpad.net/clamav/+bug/1930393/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930393] Re: any local user can shut clamd down via control socket
** Changed in: clamav Status: Unknown => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930393 Title: any local user can shut clamd down via control socket To manage notifications about this bug go to: https://bugs.launchpad.net/clamav/+bug/1930393/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930393] Re: any local user can shut clamd down via control socket
** Also affects: clamav via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989549 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930393 Title: any local user can shut clamd down via control socket To manage notifications about this bug go to: https://bugs.launchpad.net/clamav/+bug/1930393/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930393] Re: any local user can shut clamd down via control socket
> I suggest proposing your patch in a Debian bug to get the maintainer's feedback on it. I've now raised https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989549 Should we carry on discussion over there? ** Bug watch added: Debian Bug tracker #989549 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989549 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930393 Title: any local user can shut clamd down via control socket To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1930393/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930393] Re: any local user can shut clamd down via control socket
>From systemd.service(5): > Type= > Configures the process start-up type for this service unit. > One of simple, exec, forking, oneshot, dbus, notify or > idle: > > • If set to simple (the default if ExecStart= is > specified but neither Type= nor BusName= are), the > service manager will consider the unit started > immediately after the main service process has been > forked off. [...] > • If set to forking, it is expected that the process > configured with ExecStart= will call fork() as part of > its start-up. The parent process is expected to exit > when start-up is complete and all communication > channels are set up. The child continues to run as the > main service process, and the service manager will > consider the unit started when the parent process > exits. This is the behavior of traditional UNIX > services. If this setting is used, it is recommended to > also use the PIDFile= option, so that systemd can > reliably identify the main process of the service. > systemd will proceed with starting follow-up units as > soon as the parent process exits. So as long as the parent doesn't exit before the service is ready to accept connections, it should be reliable. It seems to be the case here. Note that clamd can take quite a long time to start (hence the 7 minute timeout which btw I don't think makes sense with type=simple and --foreground), which might be why type=forking was abandoned? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930393 Title: any local user can shut clamd down via control socket To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1930393/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930393] Re: any local user can shut clamd down via control socket
Hmm, I thought the only 'reliable' way of addressing the 'not yet active' problem was to use the sd_notify(3) family of functions to let systemd know when a service is actually ready to handle requests. I suggest proposing your patch in a Debian bug to get the maintainer's feedback on it. (A test case to demonstrate why you're proposing the change would probably help.) As for the socket accepting both user commands and administrative commands, I think that will require a discussion with the upstreams of the various projects. It's wild to me that those things are co-mingled into one socket, but perhaps that's intentional for good reasons. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930393 Title: any local user can shut clamd down via control socket To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1930393/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1930393] Re: any local user can shut clamd down via control socket
** Changed in: clamav (Ubuntu) Status: New => Confirmed ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930393 Title: any local user can shut clamd down via control socket To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1930393/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs