Hello, I am trying to trace the reasoning behind behaviour I don't understand with regard to permissions on the clamd.socket and simscan.
My clamav runs under daemontools. I am keeping my clamd.socket in /tmp. My problem is *not with clamav being able to access files in the simscan directory, that works just fine. For the sake of testing this phenomenon, I have simscan in the clamav group and clamav in the simscan group: id simscan uid=513(simscan) gid=513(simscan) groups=513(simscan),512(clamav) id clamav uid=512(clamav) gid=512(clamav) groups=512(clamav),513(simscan) Consider the following 7 permissions scenarios on the clamav socket: 1: srw-rw---- 1 clamav simscan 0 Jul 29 10:04 clamd.socket -svc -t /service/clamd: Socket file removed. -simscan: clamdscan: ERROR: Can't connect to clamd: Permission denied 2: srw-rw---- 1 simscan clamav 0 Jul 29 10:04 clamd.socket -svc -t /service/clamd: ERROR: Can't unlink the socket file /tmp/clamd.socket -simscan successfully scans the test message 3: s---rw---- 1 clamav simscan 0 Jul 29 10:04 clamd.socket -svc -t /service/clamd: Socket file removed. -simscan test message: ERROR: Can't connect to clamd: Permission denied 4: s---rw---- 1 simscan clamav 0 Jul 29 10:04 clamd.socket -svc -t /service/clamd: ERROR: Can't unlink the socket file /tmp/clamd.socket -simscan test: ERROR: Can't connect to clamd: Permission denied 5: s------rw- 1 root root 0 Jul 29 10:04 clamd.socket -svc -t /service/clamd: ERROR: LOCAL: Socket file /tmp/clamd.socket could not be removed: Operation not permitted -simscan test: ERROR: Can't connect to clamd: Permission denied 6: s------rw- 1 clamav simscan 0 Jul 29 10:04 clamd.socket -svc -t /service/clamd: Socket file removed. -simscan test: scans successfully 7: s------rw- 1 simscan clamav 0 Jul 29 10:25 clamd.socket -svc -t /service/clamd: ERROR: Can't unlink the socket file /tmp/clamd.socket -simscan test: ERROR: Can't connect to clamd: Permission denied In the above scenarios, I don't understand: -If the clamav group has rw on the socket, why does svc -t only work when clamav is the owner. -How can the clamav user apparently have access to the socket without rw (#3)? -Conversely, why is the same true of simscan user - why can it scan as a user with rw, but not as a group with rw (except in #6)? -How can clamav successfully scan as user without rw, while simscan user needs rw to connect (#3/#4) -How can #6 work, when #5 and #7 do not? don't world perms let anybody connect, regardless of owner/group? The way I see it, because of the group rw, I think scenario #1 should work to let both simscan scan and daemontools to restart clamd. As should #2. I also think, because of the world rw, scenarios #5 and #7 should work for both services as well as #6 does. I think in scenario #3 the results should be opposite to what they are, and in scenario #4, I think clamav should successfully restart. Somehow I ended up in opposite land. I also think there should be a way to let both clamav and simscan connect to the clamd.socket without world permissions. But nothing I try seems to work like I think it should. I even tried putting simscan and clamav users into a new group and owning the socket to that group, but the results were equally underwhelming. What is happening is completely contrary to what I think I know should be happening. As best as I can tell, user/group rw permission on the clamd.socket are being ignored. It seems to matter more who owns the socket than whether that owner has rw perms on it. Surely there is some documentation that would explain this discrepancy, but I have spent a good deal of time on google over the last few days and not found it. Would anybody be able to point me at such documentation, or offer explanation to clear my confusion? Thanks for any thoughts you wish to share... -- Computerisms Bob Miller 867-334-7117 / 867-633-3760 http://computerisms.ca _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
