Re: [Clamav-devel] [SUSPECTED SPAM] [Feature request] Support Linux symlinks for all configuration and database folders

Sun, 28 Mar 2021 19:34:18 -0700 

Hello again!

TL;DR for this:  I came to the conclusion just now that the clamav package's 
apparmor profile is preventing freshclam from following symlinks to other 
locations. My initial testing on docker worked fine because there was no 
apparmor to block it.

I did my initial testing with an `ubuntu:latest` docker container and did the 
same basic steps you did, but without using systemctl:

root@73282cc0fdd0:/# mv /etc/clamav/ /etc/clamav-sav/
root@73282cc0fdd0:/# ln -s /etc/clamav-sav/ /etc/clamav
root@73282cc0fdd0:/# ls -la /etc/clamav
lrwxrwxrwx 1 root root 16 Mar 28 16:56 /etc/clamav -> /etc/clamav-sav/
root@73282cc0fdd0:/# freshclam
Sun Mar 28 16:56:30 2021 -> ClamAV update process started at Sun Mar 28 
16:56:30 2021
Sun Mar 28 16:56:30 2021 -> daily database available for download (remote 
version: 26123)
Time: 5.2s, ETA: 0.0s [=============================>] 100.63MiB/100.63MiB
Sun Mar 28 16:56:37 2021 -> Testing database: 
'/var/lib/clamav/tmp.0300c/clamav-a52b68eeaedacca470206a9e64d75b61.tmp-daily.cvd'
 ...
Sun Mar 28 16:56:44 2021 -> Database test passed.
Sun Mar 28 16:56:44 2021 -> daily.cvd updated (version: 26123, sigs: 3966434, 
f-level: 63, builder: raynman)
Sun Mar 28 16:56:44 2021 -> main database available for download (remote 
version: 59)
Time: 6.5s, ETA: 0.0s [=============================>] 112.40MiB/112.40MiB
Sun Mar 28 16:56:53 2021 -> Testing database: 
'/var/lib/clamav/tmp.0300c/clamav-9650f62b7145d02d11deba097e796ab7.tmp-main.cvd'
 ...
Sun Mar 28 16:56:56 2021 -> Database test passed.
Sun Mar 28 16:56:56 2021 -> main.cvd updated (version: 59, sigs: 4564902, 
f-level: 60, builder: sigmgr)
Sun Mar 28 16:56:56 2021 -> bytecode database available for download (remote 
version: 333)
Time: 0.3s, ETA: 0.0s [=============================>] 286.79KiB/286.79KiB
Sun Mar 28 16:56:57 2021 -> Testing database: 
'/var/lib/clamav/tmp.0300c/clamav-f01c8381097dc0fec61ba95a42a3cf49.tmp-bytecode.cvd'
 ...
Sun Mar 28 16:56:57 2021 -> Database test passed.
Sun Mar 28 16:56:57 2021 -> bytecode.cvd updated (version: 333, sigs: 92, 
f-level: 63, builder: awillia2)
Sun Mar 28 16:56:57 2021 -> !NotifyClamd: Can't find or parse configuration 
file /etc/clamav/clamd.conf

As you can see, this worked fine which is why I sent my previous email.  But 
after speaking with Utkarsh Gupta, I decided to re-read your instructions and 
follow them more closely.  I set up an ubuntu 20.04 VM and ran the following:

micah@ubuntu20:~$ sudo mv -f /etc/clamav/ /etc/clamav.sav
micah@ubuntu20:~$ sudo ln -fsv /etc/clamav.sav /etc/clamav
'/etc/clamav' -> '/etc/clamav.sav'
micah@ubuntu20:~$ sudo systemctl restart clamav-freshclam
micah@ubuntu20:~$ sudo systemctl status clamav-freshclam
● clamav-freshclam.service - ClamAV virus database updater
     Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; enabled; 
vendor preset: enabled)
     Active: failed (Result: exit-code) since Mon 2021-03-29 01:33:29 UTC; 9s 
ago
       Docs: man:freshclam(1)
             man:freshclam.conf(5)
             https://www.clamav.net/documents
    Process: 3593 ExecStart=/usr/bin/freshclam -d --foreground=true 
(code=exited, status=2)
   Main PID: 3593 (code=exited, status=2)

Mar 29 01:33:29 ubuntu20 systemd[1]: Started ClamAV virus database updater.
Mar 29 01:33:29 ubuntu20 freshclam[3593]: ERROR: Can't open/parse the config 
file /etc/clamav/freshclam.conf
Mar 29 01:33:29 ubuntu20 systemd[1]: clamav-freshclam.service: Main process 
exited, code=exited, status=2/IN>
Mar 29 01:33:29 ubuntu20 systemd[1]: clamav-freshclam.service: Failed with 
result 'exit-code'.

This resulted in the same issue you reported. I also tried just running it 
without systemctl:

micah@ubuntu20:~$ sudo freshclam
ERROR: Can't open/parse the config file /etc/clamav/freshclam.conf

So, same problem you described.  It seems strange to me that it followed the 
symlink okay in the docker container but not on the VM.  

Still on the VM, I tried uninstalling clamav (sudo apt uninstall clamav) and 
then installing with cmake from source:

git clone https://github.com/Cisco-Talos/clamav-devel.git
cd clamav-devel/
mkdir build && cd build
sudo apt install -y ninja-build gcc python3 python3-pip     check     
libbz2-dev     libcurl4-openssl-dev     libjson-c-dev     libmilter-dev     
libncurses5-dev     libpcre2-dev     libssl-dev     libxml2-dev     zlib1g-dev
python3 -m pip install --user cmake
echo "export PATH=/home/micah/.local/bin:$PATH" > ~/.bashrc
source ~/.bashrc
cmake .. -G Ninja && ninja && sudo ninja install
sudo cp /usr/local/etc/freshclam.conf.sample /usr/local/etc/freshclam.conf
sudo vim /usr/local/etc/freshclam.conf     # <-- removed the "Example" line
sudo freshclam    # worked
sudo mv /usr/local/etc/ /usr/local/etc.sav
sudo ln -s /usr/local/etc.sav/ /usr/local/etc
sudo freshclam     # also worked

Here's a copy-paste from those last few commands:

micah@ubuntu20:~/clamav-devel/build$ ls /usr/local/etc/
clamav-milter.conf.sample  clamd.conf.sample  freshclam.conf  
freshclam.conf.sample
micah@ubuntu20:~/clamav-devel/build$ sudo mv /usr/local/etc/ /usr/local/etc.sav
micah@ubuntu20:~/clamav-devel/build$ sudo ln -s /usr/local/etc.sav/ 
/usr/local/etc
micah@ubuntu20:~/clamav-devel/build$ sudo freshclam
ClamAV update process started at Mon Mar 29 01:56:19 2021
daily database available for download (remote version: 26123)
Time:    3.6s, ETA:    0.0s [========================>]  100.63MiB/100.63MiB
Testing database: 
'/usr/local/share/clamav/tmp.dc65adbc0c/clamav-6f3994d5fd9cd918e7c07311c03f4da7.tmp-daily.cvd'
 ...
^CUpdate process terminated

So I'm not sure what's going on here.  It did seem to follow the symlink for 
the freshclam.conf file when installed from source on the Ubuntu VM. 
I imagine we could get around the problem by using this "cli_realpath()" 
function before trying to access these files: 
https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.104/libclamav/others.h#L982

You said you also saw the issue with:
- /etc/ssl
- /etc/ssl/certs

I was also able to reproduce this issue when using the clamav package on the 
ubuntu VM:

micah@ubuntu20:~$ sudo mv /etc/ssl /etc/ssl.sav
micah@ubuntu20:~$ sudo ln -s /etc/ssl.sav /etc/ssl
micah@ubuntu20:~$ sudo freshclam
Mon Mar 29 02:21:07 2021 -> ClamAV update process started at Mon Mar 29 
02:21:07 2021
Mon Mar 29 02:21:07 2021 -> daily database available for download (remote 
version: 26123)
Mon Mar 29 02:21:07 2021 -> ^Download failed (77) Mon Mar 29 02:21:07 2021 -> ^ 
Message: Problem with the SSL CA cert (path? access rights?)
Mon Mar 29 02:21:07 2021 -> ^getcvd: Can't download daily.cvd from 
https://database.clamav.net/daily.cvd
Mon Mar 29 02:21:07 2021 -> Trying again in 5 secs...

Without removing the ssl -> /etc/ssl.sav Symlink, I removed the "clamav" 
package again and reinstalled clamav from source and configured freshclam.conf 
again.  I ran freshclam again and it worked okay:

micah@ubuntu20:~/clamav-devel/build$ sudo freshclam
ClamAV update process started at Mon Mar 29 02:24:51 2021
daily.cvd database is up to date (version: 26123, sigs: 3966434, f-level: 63, 
builder: raynman)
main database available for download (remote version: 59)
Time:    4.0s, ETA:    0.0s [========================>]  112.40MiB/112.40MiB
Testing database: 
'/usr/local/share/clamav/tmp.6595bb7d72/clamav-d96b8da019a765975d9b6d25cdba11a7.tmp-main.cvd'
 ...

So in the end, I was only able to reproduce the issue with the Ubuntu clamav 
package on the VM (vs docker).

This got me to thinking that it's probably the apparmor profile preventing 
freshclam from opening these files: /etc/apparmor.d/usr.bin.freshclam
The apparmor profile lists which directories freshclam is allowed to access and 
with what permissions. I'm not skilled with apparmor and wouldn't know how to 
change it to be more permissive with symlinks to other locations.
I'll pass my findings on to Utkarsh Gupta as well.  

Regards,
Micah


> -----Original Message-----
> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On Behalf Of
> Micah Snyder (micasnyd)
> Sent: Saturday, March 27, 2021 4:54 PM
> To: ClamAV Development <clamav-devel@lists.clamav.net>
> Subject: Re: [Clamav-devel] [SUSPECTED SPAM] [Feature request] Support
> Linux symlinks for all configuration and database folders
> 
> Hello!
> 
> Apologies for the delay getting back to you.  I also saw this report:
> https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1920615/
> 
> I tried to reproduce the issue you described but was unable.  I tried moving 
> the
> ssl directory and moving the clamav directory and then created symlinks to
> each. Eg:
> 
> root@117df8bca60f:/# ls -la /var/lib/
> total 64
> ...
> lrwxrwxrwx 1 root   root     22 Mar 27 23:38 clamav -> /var/lib/clamav_moved/
> 
> and
> 
> root@117df8bca60f:/# ls -la /etc/
> ...
> lrwxrwxrwx 1 root root      15 Mar 27 23:37 ssl -> /etc/ssl_moved/
> 
> I had no problems running freshclam with these symlinks set up.  I don't think
> there is a bug here. I suspect that perhaps the permissions or ownership of 
> your
> replacement directories or symlinks are causing the issue.  When freshclam is
> run by sudo, it switches users to run as the "clamav" user.  The database
> directory must be owned by the "clamav" user.  The config files, ssl files 
> must
> be accessible to the clamav user.
> 
> If you want to share your exact layout, ownership and permissions of these 
> files
> and directories I can try to help more.
> 
> -Micah
> 
> 
> > -----Original Message-----
> > From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On Behalf
> > Of jean-christophe manciot
> > Sent: Monday, March 22, 2021 6:30 AM
> > To: clamav-devel@lists.clamav.net
> > Subject: [SUSPECTED SPAM] [Clamav-devel] [Feature request] Support
> > Linux symlinks for all configuration and database folders
> >
> > On Ubuntu, freshclam 0.103.0+dfsg-3.1 does not support symlinks for
> > any of the following:
> > - /etc/clamav
> > - /etc/ssl
> > - /etc/ssl/certs
> > - /var/lib/clamav
> >
> > If any of the aforementioned folders is a symlink, no database update
> > by freshclam is possible.
> > Cf. bug report
> > https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1920615.
> > _______________________________________________
> >
> > clamav-devel mailing list
> > clamav-devel@lists.clamav.net
> > https://lists.clamav.net/mailman/listinfo/clamav-devel
> >
> > Please submit your patches to our Github: https://github.com/Cisco-
> > Talos/clamav-devel/pulls
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> _______________________________________________
> 
> clamav-devel mailing list
> clamav-devel@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-devel
> 
> Please submit your patches to our Github: https://github.com/Cisco-
> Talos/clamav-devel/pulls
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
_______________________________________________

clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel

Please submit your patches to our Github: 
https://github.com/Cisco-Talos/clamav-devel/pulls

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to