I am sorry that this reply is rather late, but for the sake of completeness and for the benefit of anyone who finds himself chasing this same problem, I would report that I have determined that the problem here was simscan, and not clamav. When I used my selected solution of using the parent directory to enforce permissions I observed that I still had the same problem. Further trial and error led me to see that simscan does not appear to observe group permissions at all.
Many thanks to those that assisted my chase of an untamed ornithoid without cause... -- Computerisms Bob Miller 867-334-7117 / 867-633-3760 http://computerisms.ca On Tue, 2013-07-30 at 11:18 -0700, Bob Miller wrote: > Hello, > > I am trying to trace the reasoning behind behaviour I don't understand > with regard to permissions on the clamd.socket and simscan. > > My clamav runs under daemontools. I am keeping my clamd.socket in /tmp. > My problem is *not with clamav being able to access files in the simscan > directory, that works just fine. > > For the sake of testing this phenomenon, I have simscan in the clamav > group and clamav in the simscan group: > > id simscan > uid=513(simscan) gid=513(simscan) groups=513(simscan),512(clamav) > > id clamav > uid=512(clamav) gid=512(clamav) groups=512(clamav),513(simscan) > > Consider the following 7 permissions scenarios on the clamav socket: > > 1: > srw-rw---- 1 clamav simscan 0 Jul 29 10:04 clamd.socket > -svc -t /service/clamd: Socket file removed. > -simscan: clamdscan: ERROR: Can't connect to clamd: Permission denied > > 2: > srw-rw---- 1 simscan clamav 0 Jul 29 10:04 clamd.socket > -svc -t /service/clamd: ERROR: Can't unlink the socket > file /tmp/clamd.socket > -simscan successfully scans the test message > > 3: > s---rw---- 1 clamav simscan 0 Jul 29 10:04 clamd.socket > -svc -t /service/clamd: Socket file removed. > -simscan test message: ERROR: Can't connect to clamd: Permission denied > > 4: > s---rw---- 1 simscan clamav 0 Jul 29 10:04 clamd.socket > -svc -t /service/clamd: ERROR: Can't unlink the socket > file /tmp/clamd.socket > -simscan test: ERROR: Can't connect to clamd: Permission denied > > 5: > s------rw- 1 root root 0 Jul 29 10:04 clamd.socket > -svc -t /service/clamd: ERROR: LOCAL: Socket file /tmp/clamd.socket > could not be removed: Operation not permitted > -simscan test: ERROR: Can't connect to clamd: Permission denied > > 6: > s------rw- 1 clamav simscan 0 Jul 29 10:04 clamd.socket > -svc -t /service/clamd: Socket file removed. > -simscan test: scans successfully > > 7: > s------rw- 1 simscan clamav 0 Jul 29 10:25 clamd.socket > -svc -t /service/clamd: ERROR: Can't unlink the socket > file /tmp/clamd.socket > -simscan test: ERROR: Can't connect to clamd: Permission denied > > In the above scenarios, I don't understand: > > -If the clamav group has rw on the socket, why does svc -t only work > when clamav is the owner. > -How can the clamav user apparently have access to the socket without rw > (#3)? > -Conversely, why is the same true of simscan user - why can it scan as a > user with rw, but not as a group with rw (except in #6)? > -How can clamav successfully scan as user without rw, while simscan user > needs rw to connect (#3/#4) > -How can #6 work, when #5 and #7 do not? don't world perms let anybody > connect, regardless of owner/group? > > The way I see it, because of the group rw, I think scenario #1 should > work to let both simscan scan and daemontools to restart clamd. As > should #2. I also think, because of the world rw, scenarios #5 and #7 > should work for both services as well as #6 does. I think in scenario > #3 the results should be opposite to what they are, and in scenario #4, > I think clamav should successfully restart. Somehow I ended up in > opposite land. > > I also think there should be a way to let both clamav and simscan > connect to the clamd.socket without world permissions. But nothing I > try seems to work like I think it should. I even tried putting simscan > and clamav users into a new group and owning the socket to that group, > but the results were equally underwhelming. > > What is happening is completely contrary to what I think I know should > be happening. As best as I can tell, user/group rw permission on the > clamd.socket are being ignored. It seems to matter more who owns the > socket than whether that owner has rw perms on it. > > Surely there is some documentation that would explain this discrepancy, > but I have spent a good deal of time on google over the last few days > and not found it. Would anybody be able to point me at such > documentation, or offer explanation to clear my confusion? > > Thanks for any thoughts you wish to share... > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
