At 7:03 AM -0700 6/11/09, Dennis Peterson wrote: >Ian Cheong wrote: >> I've just done a clean (previous uninstall) default (configure;make;install >> with no options) install of clamAV0.95.2 on MacOS10.5.7. Running freshclam >> generates the following errors. >> >> ERROR: chdir_tmp: Can't create directory >> ./clamav-f6cd08cec8c72896e10b38ef34215214 >> WARNING: Incremental update failed, trying to download daily.cvd >> ERROR: getfile: Can't create new file >> /usr/local/share/clamav/clamav-6fbf53c3126704c0b95f1b04f7d580ea in >> /usr/local/share/clamav >> Hint: The database directory must be writable for UID 501 (me) or GID 501 >> (admin users) >> >> Default permission on database: >> drwxrwxr-x 4 _clamav _clamav 136 11 Jun 08:24 clamav >> >> Freshclam.conf: DatabaseOwner _clamav >> >> I can easily make the error go away by giving me or everyone rw permissions >> on the clamav database directory. I note this error in various fora at least >> for MacOS and Windows. >> >> My question is: >> What is the ideal secure solution for freshclam and clamav database >> permissions? >> > >This is a concepts issue. Maintaining the signatures is not a user space >operation. Freshclam is designed to either run automatically (as daemon) as a >designated unprivileged user, or as a cron process run as root or as the >designated user. As a daemon it can be started by root or the designated user. >That designated user is the only user that requires write access to the >signature directory. For security the designated user is the only user that >*should* have write access to the signature directory and files. Otherwise any >clever malware would be able to delete those signatures. It can also >be messy to >manage permissions on files that all people have write access to >given the wide >range of umask possibilities each user can have. > >If it is expected that the ClamAV clamscan scanner be used by end >users then the >signature files need to be readable by all. This is because >clamscan, run as an >end user, needs to read the signatures. If it is expected that >clamdscan is used >by the end users then the signatures directory and files need be readable only >by the clamd user, presumably _clamav:_clamav, and the users will need to be >trained in how to submit files to clamd for testing. It is assumed that user >_clamav will not necessarily have read access to all files on a system and so >there are work-arounds. > >My solution is as follows: > >drwxr-xr-x 4 _clamav _clamav 136 11 Jun 08:24 clamav >-rw-r--r-- 1 _clamav _clamav 47079936 6 Jun 09:17 main.cld >-rw-r--r-- 1 _clamav _clamav 1740800 10 Jun 12:14 daily.cld > >Freshclam is run as a cron process by user root, clamd is started by >root in an >init script on startup and maintained by a daemon watch tool I wrote. > >Any user has executable permissions on clamscan, clamdscan, and sigtool. The >clamd socket is read/write by all users.
Under OSX you should not run freshclam as a deamon but as a periodic process run by launchd as _clamav:_clamav. Likewise for clamd. THis allows for automatic process restart by launchd if there is a problem (for example the bug that caused 0.94.2 to randomly crash using unofficials on some systems). Using launchd rather than startup scripts or cron jobs is much cleaner under OSX. As for DB I agree that the files should be _clamav:_clamav -rw-r--r- Tom _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
