On Thu, 20 Mar 2003, Dave Sill wrote:
> Date: 20 Mar 2003 11:27:05 -0500
> From: Dave Sill <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: Re: [clamav-users] Clamav and qmail - your experiences and
> opinions
>
> Tomasz Kojm <[EMAIL PROTECTED]> writes:
>
> > On Wed, Mar 19, 2003 at 04:09:22PM -0500, Dave Sill wrote:
> > >
> > > OK, I tried that on my RH 8.0, clamav-20030317, qmail-scanner-1.16
> > > system and got:
> > >
> > > 19/03/2003 15:53:06:3757: --output of clamscan was:
> > > /var/spool/qmailscan/sws510481071864263757: Can't stat() the file ERROR
> >
> > This is a permission problem. Run clamd with a proper UID and GID (check
> > ls -l /var/spool/qmailscan).
>
> So clamd needs to run as a user with access to the files to be
> scanned. That seems reasonable, except that means it needs to run as
> root in order to be able to scan any file...and that's not something
> I'm keen to do. I guess it'd be OK to run clamd as qmaild, the user
> that owns /var/spool/qmailscan.
>
> This is pretty important limitation to using clamd/clamdscan. Is it
> documented?
Sure... run "man intro" on most any Unix system and read the part about
permissions, uids, etc., ... ;-)
Of course, for a process to be able to read ANY file on a Unix system the
process needs to be running with uid 0, or the files themselves need to
have proper permissions set. There's not really anything ClamAV can do to
change these simple facts. Did you think clamd would somehow be able to
bypass normal Unix file permissions? What would you like clamd to do
exactly?
In our setup, we use sendmail + MIMEDefang + clamd. When the email
messages/attachments are broken out by MD to be scanned, they are owned by
the user that MIMEDefang runs as (in our case, "defang"). So, we just
make clamd run as "defang" so it can scan the mail files.
Ed
Ed Phillips <[EMAIL PROTECTED]> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l [EMAIL PROTECTED] for PGP public key
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
