Hello,
> > srw-rw---- 1 root root 0 Jul 31 10:04 clamd.socket
> >
> > This way clamd runs as root, daemontools can restart clamd, and simscan
> > can scan the test message. It works, but I am not really liking the
> > idea of running clamd as root.
>
> That wasn't what I suggested, and I agree with Mr. Peterson. :)
>
> My suggestion was merely that you change the owner of the socket
> and repeat your tests. Nothing more, nothing less, nothing else.
> You might find the results interesting.
I did do them, but noted nothing interesting. It was based on the
assumption that the owner of the socket should be root, and this was the
(a) solution to fixing clamav to fit that assumption.
However, your point is well taken in that I did not do the slow,
methodical and thorough kind of trying. I also had to give my brain a
slap yesterday for skimming articles I have already read instead of
reading them again - can't learn what I think I already know....
So, documenting the experience (all tests repeated, the old and the
new):
1.
a. srw-rw---- 1 clamav simscan 0 Aug 1 13:39 clamd.socket
-clam restart: Socket file removed.
-simscan: ERROR: Can't connect to clamd: Permission denied
b. srw-rw---- 1 root simscan 0 Aug 1 13:42 clamd.socket
-clam restart: ERROR: Can't unlink the socket file /tmp/clamd.socket
-simscan: ERROR: Can't connect to clamd: Permission denied
2.
a. srw-rw---- 1 simscan clamav 0 Aug 1 13:44 clamd.socket
-clam restart: ERROR: Can't unlink the socket file /tmp/clamd.socket
-simscan: success
b. srw-rw---- 1 root clamav 0 Aug 1 13:58 clamd.socket
-clam restart: ERROR: Can't unlink the socket file /tmp/clamd.socket
-simscan: ERROR: Can't connect to clamd: Permission denied
3.
a. s---rw---- 1 clamav simscan 0 Aug 1 14:01 clamd.socket
-clam restart: Socket file removed.
-simscan: ERROR: Can't connect to clamd: Permission denied
b. s---rw---- 1 root simscan 0 Aug 1 14:26 clamd.socket
-clam restart: ERROR: Can't unlink the socket file /tmp/clamd.socket
-simscan: ERROR: Can't connect to clamd: Permission denied
4.
a. s---rw---- 1 simscan clamav 0 Aug 1 14:33 clamd.socket
-clam restart: ERROR: Can't unlink the socket file /tmp/clamd.socket
-simscan: ERROR: Can't connect to clamd: Permission denied
b. s---rw---- 1 root clamav 0 Aug 1 14:36 clamd.socket
-clam restart: ERROR: Can't unlink the socket file /tmp/clamd.socket
-simscan: ERROR: Can't connect to clamd: Permission denied
5.
a. s------rw- 1 root root 0 Aug 1 14:40 clamd.socket
-clam restart: ERROR: Can't unlink the socket file /tmp/clamd.socket
-simscan: ERROR: Can't connect to clamd: Permission denied
b. -
-clam restart: -
-simscan: -
6.
a. s------rw- 1 clamav simscan 0 Aug 1 14:43 clamd.socket
-clam restart: Socket file removed.
-simscan: success
b. s------rw- 1 root simscan 0 Aug 1 14:44 clamd.socket
-clam restart: ERROR: Can't unlink the socket file /tmp/clamd.socket
-simscan: success
7.
a. s------rw- 1 simscan clamav 0 Aug 1 14:49 clamd.socket
-clam restart: ERROR: Can't unlink the socket file /tmp/clamd.socket
-simscan: ERROR: Can't connect to clamd: Permission denied
b. s------rw- 1 root clamav 0 Aug 1 14:52 clamd.socket
-clam restart: ERROR: Can't unlink the socket file /tmp/clamd.socket
-simscan: ERROR: Can't connect to clamd: Connection refused
I have stared and stared at this. If there is a lesson to be seen here,
I am sad that it seems beyond my powers of observation. If there is a
way to reverse engineer the above observations into a rule set that also
obeys linux file permissions, I don't see how to do it.
All of my original questions stand; things are not behaving by the rules
I expect them to. How can world rw not work unless the user/group is
correct, is this some sort of umask thing? How can clamav user access
the socket without rw permission, and how can it connect as user but not
group? How can simscan connect as user but not group?
Were you expecting something different? Or more likely, am I missing
something obvious here? wouldn't be the first time I have puzzled for
days/weeks over something stupid and obvious....
Thank you again for your time...
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
