On Fri, 13 Apr 2007, Tomasz Kojm wrote: > On Thu, 12 Apr 2007 16:22:51 -0600 (MDT) > James Bourne <[EMAIL PROTECTED]> wrote: > >> On Fri, 13 Apr 2007, Tomasz Kojm wrote: >> >>> On Thu, 12 Apr 2007 18:08:06 -0400 >>> James Kosin <[EMAIL PROTECTED]> wrote: >>> >>>> I just tested and clamd will try to read any file with the extension >>>> of .cvd in the /var/lib/clamav directory. >>>> My simple question is: >>>> "Could this pose a security or virus scanning problem if someone >>>> managed to place an empty or invalid .cvd file intensionally in the >>>> database directory?" >>> >>> And what if the same person replaces clamd with a backdoor? Did you hear >>> about filesystem permissions? >> >> He does have a point and it's not about filesystem permissions, unless you >> run clamd as root.... You don't... Do you? >> >> If there is a remote security hole in a non-root process such as clamd that >> has write access to /var/lib/clamav but not to /usr/sbin/clamd or >> /usr/bin/freshclam then it is possible to remotely cause a DOS on clamd by >> placing a blank file called whatever.cvd and waiting for clamd to be >> reloaded by freshclam. > > This can be solved using file permissions as well, eg. by running clamd with > only read privileges to the database directory.
Freshclam though needs to be able to not only write to the cvd files but to also signal clamd to reload the cvd files. Yes it may be possible, but that's still no excuse for clamd to bail when presented with two sets of data files, one invalid and one valid. Regards James -- James Bourne | Email: [EMAIL PROTECTED] UNIX Systems Administration | WWW: http://www.hardrock.org Custom UNIX Programming | Linux: The choice of a GNU generation ---------------------------------------------------------------------- "All you need's an occasional kick in the philosophy." Frank Herbert _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
